[Gllug] FYI: GnuPG's ElGamal signing keys compromised
Daniel P. Berrange
dan at berrange.com
Thu Nov 27 15:50:19 UTC 2003
See
http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html
<quote>
Phong Nguyen identified a severe bug in the way GnuPG creates and uses
ElGamal keys for signing. This is a significant security failure
which can lead to a compromise of almost all ElGamal keys used for
signing. Note that this is a real world vulnerability which will
reveal your private key within a few seconds.
</quote>
Fortunately it seems that use of ElGamal for signing is a non-default
option in GnuPG, so most people shouldn't be affected, but its obviously
worth a thorough check. See the bottom of the posting for how to
identify what key types you are using.
Dan.
--
|=- http://www.berrange.com/~dan/gpgkey.txt -=|
|=- berrange at redhat.com - Daniel Berrange - dan at berrange.com -=|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 240 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20031127/16281c6d/attachment.pgp>
-------------- next part --------------
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list