[Gllug] FYI: GnuPG's ElGamal signing keys compromised

Daniel P. Berrange dan at berrange.com
Thu Nov 27 15:50:19 UTC 2003


See

  http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html

<quote>
Phong Nguyen identified a severe bug in the way GnuPG creates and uses
ElGamal keys for signing.  This is a significant security failure
which can lead to a compromise of almost all ElGamal keys used for
signing.  Note that this is a real world vulnerability which will
reveal your private key within a few seconds.
</quote>

Fortunately it seems that use of ElGamal for signing is a non-default
option in GnuPG, so most people shouldn't be affected, but its obviously
worth a thorough check. See the bottom of the posting for how to
identify what key types you are using.

Dan.
-- 
|=-               http://www.berrange.com/~dan/gpgkey.txt             -=|
|=-   berrange at redhat.com  -  Daniel Berrange  -  dan at berrange.com    -=|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20031127/16281c6d/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug


More information about the GLLUG mailing list