COMMAND

    pgp

SYSTEMS AFFECTED

    PGP

PROBLEM

    Cryptologists  from  Czech  company  ICZ detected serious security
    vulnerability  of  an  international  magnitude.   A  bug has been
    found in  worldwide used  security format  OpenPGP.   The bug  can
    lead  to  discovery  of  user's  private  keys  used  in   digital
    signature  systems.   OpenPGP  format  is  widely  used  in   many
    applications used worldwide, including extremely popular  programs
    like PGP(TM), GNU  Privacy Guard, and  others.  The  bug detection
    comes on the right time, as Philip Zimmermann, the creator of  PGP
    program,  has  left  Network  Associates,  Inc.  and aims to boost
    OpenPGP format in other products for privacy security on Internet.
    From the scientific point of  view, the discovery goes far  beyond
    actual programs - it has wider theoretical and practical impact.

    A  slight  modification  of  the  private  key  file  followed  by
    capturing a  signed message  is enough  to break  the private key.
    These  tasks  can  be  performed  without  knowledge of the user's
    passphrase.   After  that,  a  special  program  can be run on any
    office PC.  Based on  the captured message,the program is  able to
    calculate the user's private key  in half a second.   The attacker
    can then sign any messages instead of the attacked user.   Despite
    of  very  quick  calculation,  the  program  is based on a special
    cryptographic know-how.

    DSA and RSA keys are reportedly equally vulnerable.

    The technical paper is at:

        http://www.i.cz/en/pdf/openPGP_attack_ENGvktr.pdf (PDF, 100 KB)

    "The attack  to private  signature keys  in OpenPGP  format, PGPTM
    program and other OpenPGP based applications" here:

        http://www.i.cz/pdf/pgp/OpenPGP_Attack_ENGfinal.ppt (PPT, 81 kB)

    ICZ's scientists' reactions to criticsm and FAQ

        http://www.i.cz/en/onas/ohlasy.html

    - Attackers have to diddle the secret key.
    - Does *not*  work with commercial  PGP 7.0.3 w/RSA  keys (unknown
      about earlier).
    - Does work with all DSA keys and RSA keys in GPG.

    They found a way how to calculate victims private key from victims
    encrypted  private  key  file  and  at  least  one  signad message
    (signed  by  that  private  key).  It  takes small modification of
    private key file and about half a second of calculation on  commom
    PC.  So to succesfully perform attack their way, you have to:
    1) obtain victims private key file
    2) obtain at least one message signed by above key
    3) have knowleddge and tools those ICZ folks have
    4) apply 3 on 1 and 2

    Attack  takes  advantage  of  missues  of  crypto  algorithms when
    encrytping private key.   They claim OpenPGP  spec is  responsible
    for that missuse.

SOLUTION

    Nothing yet.