GnuPG ElGamal Encrypt+Sign Private Key Disclosure

2003-11-27T05:04:48
ID OSVDB:2869
Type osvdb
Reporter Phong Nguyen(phong.nguyen@ens.fr)
Modified 2003-11-27T05:04:48

Description

Vulnerability Description

GnuPG has a serious flaw that compromises any ElGamal key used for signing or encrypting material. When GnuPG creates ElGamal sign+encrypt keys (type 20), it does so in a cryptographically weak way. This can be exploited to compromise the private key.

Technical Description

GnuPG allows the creation of ElGamal keys usable for both encryption and signing. It is possible to have the primary key used for both operations. This is not normally considered a best-practice procedure but is allowable by the OpenPGP standard. In version 1.0.2, ElGamal key code was modified to improve its efficiency by selecting a smaller x secret exponent and using a smaller k for encryption. However, the same small k used for encryption was also used for signing. This can reveal the private key (the secret exponent x) if a signature made using that key is available, and a signature is always available for these primary ElGamal keys because one is used to bind the user ID, etc., to the primary key (self-signatures).

This weakness does not apply to the far more common encrypt-only (type 16) ElGamal keys. Only the ElGamal sign+encrypt key (type 20) is affected, when used to make a signature with a GnuPG version between 1.0.2 and 1.2.3. However, you should absolutely not use or trust ElGamal sign+encrypt keys (type 20). Revoke those keys immediately, and consider all material signed or encrypted with these keys compromised.

Solution Description

Upgrade to version 1.2.3 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the patch provided by the vendor, which is applied to vulnerable 1.2.3 distributions.

Short Description

GnuPG has a serious flaw that compromises any ElGamal key used for signing or encrypting material. When GnuPG creates ElGamal sign+encrypt keys (type 20), it does so in a cryptographically weak way. This can be exploited to compromise the private key.

References:

Vendor Specific Solution URL: http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000277.html Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Secunia Advisory ID:10304 Nessus Plugin ID:12547 Nessus Plugin ID:13816 Nessus Plugin ID:14091 Nessus Plugin ID:12439 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2003-q4/2998.html ISS X-Force ID: 13852 CVE-2003-0971 CERT VU: 940388 Bugtraq ID: 9115