LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

GnuPG: ElGamal signing keys compromised

Package(s):gnupg CVE #(s):CAN-2003-0971
Created:November 28, 2003 Updated:March 3, 2004
Description: A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to ElGamal sign+encrypt keys. This email message from Werner Koch contains more information. "Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds."
Alerts:
SCO Group CSSA-2004-009.0 2004-03-02
Debian DSA-429-2 2004-02-13
Debian DSA-429-1 2004-01-26
Gentoo 200312-05 2003-12-12
Fedora FEDORA-2003-025 2003-12-10
Red Hat RHSA-2003:395-01 2003-12-10
Red Hat RHSA-2003:390-01 2003-12-10
Conectiva CLA-2003:798 2003-12-09
SuSE SuSE-SA:2003:048 2003-12-03
Mandrake MDKSA-2003:109 2003-11-28
(Log in to post comments)

GnuPG: ElGamal signing keys compromised

Posted Dec 4, 2003 3:31 UTC (Thu) by freethinker (guest, #4397) [Link]

Keysigning party, anyone? ;)

ElGamal signing keys are rare!

Posted Dec 8, 2003 11:53 UTC (Mon) by ber (subscriber, #2142) [Link]

It is important to note that creating those kind of keys was discouraged and only possible by deliberately disabling the safety meatures.

See those quotes from Werner's email (my emphasis):

Note that the standard keys as generated by GnuPG (DSA and ElGamal encryption) as well as RSA keys are NOT vulnerable. Note also that ElGamal signing keys cannot be generated without the use of a special flag to enable hidden options and even then overriding a warning message about this key type.

According to the keyserver statistics, there are 848 primary ElGamal signing keys which are affected. These are a mere 0.04 percent of all primary keys on the keyservers. There are 324 vulnerable subkeys on the keyservers, too.

Red Hat RHSA-2003:390 is out for this

Posted Dec 11, 2003 12:56 UTC (Thu) by bjn (guest, #2179) [Link]

Link: RHSA-2003:390

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds