GnuPG Smartcard and Authentication Key

Volker Dormeyer volker at ixolution.de
Sun May 28 23:12:34 CEST 2006


Hi David,

thanks for the reply.

 * On Sun, 28 May 2006 16:30:55 -0400,
 * David Shaw <dshaw at jabberwocky.com> wrote:

 > On Sun, May 28, 2006 at 08:24:14PM +0200, Volker Dormeyer wrote:
 >> Hello all,
 >> 
 >> recently I received a message which is encrypted with my public
 >> authentication key instead of my encryption key.
 >> 
 >> I wonder how this can happen, because I thought GnuPG does not use the
 >> authentication key as encryption key. Am I wrong?
 >> 
 >> Further, I am not able to decrypt the message. I tried it manually with
 >> "--try-all-secrets", but it doesn't seem to work. Basically it should
 >> work. I mean, I have the authentication private key.

 > This is unfortunately turning into a FAQ.  Basically, you've run into
 > an old PGP bug.  It was recently fixed (I don't recall exactly in what
 > version), but there are countless installations of PGP that predate
 > the fix.

This is what I read in the gnupg-users archive before I send the
question. I have to admit, I do not understand exactly, because I know
that the user who sent me the message is using GnuPG. It shows

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.2.5 (GNU/Linux)

in the ASCII armored cipher text.

 > OpenPGP keys have "key flags" that indicate what a key is to be used
 > for (encryption, signing, or authentication).  GnuPG honors these
 > flags and will not encrypt to any key that isn't marked for
 > encryption.  The bug is that PGP is not properly looking at the key
 > and will happily encrypt to a signing or authentication key.

I am aware of the different "key flags". This was the reason why I
wondered how this could be happen.

 > As to what you can do about it, your best bet is to contact the sender
 > and ask for a retransmission encrypted to the proper key.  It might be
 > possible to write a program that can essentially trick the smartcard
 > into decrypting the message by pretending it is a signature that needs
 > to be verified but it depends on how exactly the card handles
 > signatures.  In any event, no such program exists today.

Thanks,
Volker

-- 
 Volker Dormeyer                                  <volker at ixolution.de>
 Join the Fellowship and protect your Freedom!    (http://www.fsfe.org)




More information about the Gnupg-users mailing list