Gnu Privacy Guard (GnuPG) is a cryptographic utility used to generate cryptographic keys and perform other cryptographic functions. A vulnerability in the way GnuPG generates ElGamal keys has been discovered. This vulnerability renders ElGamal signing key untrustworthy.
A vulnerability in the algorithm to generate ElGamal sign+encrypt keys can permit an attacker to generate valid signatures without access to the private key. This vulnerability does not affect encrypt-only (type 16) ElGamal keys, only the ElGamal sign+encrypt key (type 20) when used to make a signature with a GnuPG version 1.0.2 or later.
A remote attacker can generate a valid signature without access to the private key.
Vendor| Status| Date Notified| Date Updated
GNU Privacy Guard| | -| 29 Dec 2003
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
Thanks to Werner Koch for his advisory on this issue, and Phong Nguyen for reporting this vulnerability.
This document was written by Jason A Rafail.