[EUG-LUG:489] [Fwd: [linux-elitists] [Czech PGP Flaw Tech Details]] (fwd)

Sun, 25 Mar 2001 10:58:03 -0800 

I hope you've all been hearing about the PGP bit...
Does anyone know if PGP commercial is avail for linux?
how much??
Well one thing I REALLY don't understand here is the
reference to a ".ppt" (M$ PowerPoint) file on the
"LINUX-ELITISTS" list???  WTF, can I shout any louder?
Maybe if we're elite, we run the ppt viewer in vmware
or some such... could our LUG get a 'bloze2k box
that we could all VNC to for such needs? ha!

happy sunday,

  ben

PS - I just cut the headers to save your space,
if you want'em, do tell.


-------- Original Message --------
From: "Karsten M. Self" <[EMAIL PROTECTED]>
Subject: [linux-elitists] [[EMAIL PROTECTED]: Czech PGP Flaw Tech Details]
To: Linux Elitists <[EMAIL PROTECTED]>

For those not following BUGTRAQ closely.  Note GPG *is* effected, if
your keys are diddleable.

--Karsten M. Self <[EMAIL PROTECTED]>    http://kmself.home.netcom.com/

...


X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date:         Thu, 22 Mar 2001 18:23:24 -0500
Reply-To: David Kennedy CISSP <[EMAIL PROTECTED]>
Sender: Bugtraq List <[EMAIL PROTECTED]>
From: David Kennedy CISSP <[EMAIL PROTECTED]>
Subject:      Czech PGP Flaw Tech Details
X-To:         Risks List <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]

The promised technical paper is at:
http://www.i.cz/en/pdf/openPGP_attack_ENGvktr.pdf (PDF, 100 KB)

"The attack to private signature keys in OpenPGP format, PGPTM
program and other OpenPGP based applications" here.
http://www.i.cz/pdf/pgp/OpenPGP_Attack_ENGfinal.ppt (PPT, 81 kB)

ICZ's scientists' reactions to criticsm and FAQ
http://www.i.cz/en/onas/ohlasy.html

I can't help myself, two lines from their FAQ:
>Do you think that it credits such attention or is it all a lot of
>hot air? If we didn't blow a bit of hot air on the world from time
>to time we'd all be true idiots.

It's good to know I'm not a "true idiot."

Hal Finney has a succinct analysis posted to the Open-PGP list
archived at:
http://www.imc.org/ietf-openpgp/mail-archive/msg04767.html

My summary of Hal's analysis:
1.  Attackers have to diddle the secret key.
2.  Does *not* work with commercial PGP 7.0.3 w/RSA keys (unknown
about earlier).
3.  Does work with all DSA keys and RSA keys in GPG.

--
Dave Kennedy CISSP Director of Research Services TruSecure Corp.
http://www.trusecure.com

--d6Gm4EdcadzBjdND--

nsmail3ABDE5D306A17A4

Reply via email to