**Translated by Google**
BSI sends private PGP keys
Public and private keys apparently also confused the BSI. That sent a private
key, but with password protection.
An exclusive message from Hanno Böck will be published on November 15, 2021,
2:30 p.m.
Is it a public key or a private key? Public key encryption is confusing.
The use of mail encryption by means of the OpenPGP standard is often considered
to be complicated, which is one of the reasons why it has so far not been able
to gain broad acceptance. This was apparently also confusing for the Federal
Office for Information Security (BSI): It accidentally sent a private PGP key.
Someone had asked the BSI's contact e-mail address for product approval to send
them a PGP key in order to be able to communicate with the authorities in
encrypted form. In response, however, the person received a private PGP key
rather than a public PGP key, as expected.
The BSI confirmed the incident to Golem.de: "In fact, a file was sent that contained
a corresponding private key."
Luck in misfortune: a hopefully secure password
PGP-based encryption works with so-called public key cryptography. Different
keys are used for encryption and decryption. The public key can be sent to
communication partners who can use it to encrypt. You have to keep the private
key to yourself, it is used for decryption.
Bad luck for the BSI: The private key sent was password-protected. The severity
of the incident therefore depends on how secure the password is.
Password-protected private keys can sometimes be cracked with a brute force
attack, but this is only practicable with rather weak passwords.
The BSI informed Golem.de "that the mentioned password protection fulfills a very
high level. In addition, attachments requiring protection are also encrypted with
chiasmus. The BSI is therefore currently assuming that there is no specific risk to
information security."
BSI was still using keys months after the incident
At first, the incident was not taken seriously at the BSI. The person to whom
the key was sent immediately informed the authorities. But the BSI continued to
use the key for several months.
It was only after a request from Golem.de to the BSI's press office that the key was replaced.
"A new PGP key was immediately generated for the mailbox mentioned," replied the BSI.
"The associated public key and a revocation certificate for the old PGP key will now be
successively distributed to the respective contact person."
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users