(ai) Another Instance of the Importance of Safeguarding Private Crypto Keys

["David Kennedy CISSP (by way of David Kennedy CISSP <david.kennedy () acm org>)" <david.kennedy () ACM ORG>]

-----BEGIN PGP SIGNED MESSAGE-----

Cryptologists from Czech company ICZ detected serious security
vulnerability of an international magnitude

http://www.i.cz/en/onas/tisk4.html

> > A bug has been found in worldwide used security format OpenPGP. The
> > bug can lead to discovery of user's private keys used in digital
> > signature systems. OpenPGP format is widely used in many
> > applications used worldwide, including extremely popular programs
> > like PGP(TM), GNU Privacy Guard, and others. The bug detection
> > comes on the right time, as Philip Zimmermann, the creator of PGP
> > program, has left Network Associates, Inc. and aims to boost
> > OpenPGP format in other products for privacy security on Internet.
> > From the scientific point of view, the discovery goes far beyond
> > actual programs - it has wider theoretical and practical impact.<<

> > A slight modification of the private key file followed by capturing
> > a signed message is enough to break the private key.  These tasks
> > can be performed without knowledge of the user's passphrase. After
> > that, a special program can be run on any office PC. Based on the
> > captured message,the program is able to calculate the user's
> > private key in half a second. The attacker can then sign any
> > messages instead of the attacked user.  Despite of very quick
> > calculation, the program is based on a special cryptographic
> > know-how. <<

> > similar vulnerabilities can be expected in other asymmetrical
> > cryptographic systems, including systems based on elliptic curves.
> > <<

DSA and RSA keys are reportedly equally vulnerable.

DMK Comment:  A detailed report was supposed to be "released shortly"
but has not appeared so far.  The press release does not specify
whether diddling the private key results in any error messages.  I
hope this does not spawn another round of "PGP is
cracked/cracking/crackable" media hysteria.  The importance of key
management has always been critical and this would seem to only add
to the reasons why.  There are viruses that try to steal PGP's secret
key, there are trojans that make it possible to steal PGP's secret
key.  Storing keys on shared/networked workstations has always been
recognized as a problem with PGP.  The comp.security.pgp FAQ
includes:  Can I put PGP on a multi-user system like a network or a
mainframe? <http://www.uk.pgp.net/pgpnet/pgp-faq/faq-03.html#3.18>

Still...if it's a slow news week..?

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: How long has it been since you backed up your hard drive?

iQCVAwUBOrfGwPGfiIQsciJtAQGG2QQA0VRctHwn0Skod1Me0AJOfokvQLBiC2PJ
eohcbiSxFP/fag0KA6Ju36EKfhwAnO+DMJBGJD1FNe+r3ozJICFlQ9psi/VH6H4N
ZVvM1HT4fEIyLUg7Ih5Z7OZxk16nZMZKtK9HodWjZvgQ/+DIyifCHEp+MyTtHD3Y
PSoxp9g721M=
=LXaC
-----END PGP SIGNATURE-----

--
Regards,

David Kennedy CISSP
Director of Research Services, TruSecure Corp. http://www.trusecure.com
Protect what you connect.
Look both ways before crossing the Net.


*
* NOTE: In accordance with Title 17 <U.S.C.> Section 107, this material
* is distributed without profit or payment to those who have expressed a
* prior interest in receiving this information for non-profit research and
* educational purposes only. Provided by G2-Forward.