Problems with private keyring?

Florian Weimer fw at deneb.enyo.de
Thu Mar 22 22:37:03 CET 2001


Taral <taral at taral.net> writes:

> On Thu, Mar 22, 2001 at 08:44:56PM +0100, Florian Weimer wrote:
> > Unfortunately, the situation with DSA signatures is much, much worse.
> > IMHO, the protected data is probably not sufficient to validate the
> > unprotected data, so the way the secret key is stored has to be
> > changed completely.  This is going to introduce incompatibilities, and
> > I don't think I'm in a position to do this, so no further patches from
> > me, sorry. :-/
> 
> Well, the attack they propose relies on the fact that the p' they chose
> is deliberately very weak (p'-1 has a factorization consisting solely of
> powers of small primes) and that p' < q. I still cannot see, however, a
> way to replace (g, p, q, y) with another set which passes the proposed
> checks.

Their attack doesn't work with these checks in place.  However, there
are other attacks which involve modifying public DSA parameters.  I'm
not a cryptanalyst and I've just started reading about DSA (and
already decided that I don't like it at all, especially the OpenPGP
incarnation), so I'm not in the position to claim that a specific set
of consistency checks is safe or not.  Releasing a patch which is
solely based on consistency checks would imply such a statement.

(The situation with RSA is a bit clearer, because there is more
encrypted data which can be used for an integrity check.)



More information about the Gnupg-devel mailing list