Re: [Enigmail] Popescu and keys
On Thu, 21 May 2015 23:58, b...@adversary.org said: Is it possible that a keyserver running the old, buggy PKS code (v. 0.9.something) mangled these keys? Yes, but that won't explain why the key binding signature is valid. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Enigmail] Popescu and keys
On 22/05/2015 5:00 pm, Werner Koch wrote: On Thu, 21 May 2015 23:58, b...@adversary.org said: Is it possible that a keyserver running the old, buggy PKS code (v. 0.9.something) mangled these keys? Yes, but that won't explain why the key binding signature is valid. Okay, there's clearly some deeply weird stuff happening with those keys, or rather, has happened to them. Has anyone identified the pattern in the screenshots at the top of the list of ~160-170 UIDs? Regards, Ben signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Enigmail] Popescu and keys
On 22/05/2015 5:37 am, Werner Koch wrote: These are all encryption subkeys. The third key is the one from H. Peter Anvin. I have not found one of the fingerprints given in the said blog posting: gpg removed it while importing the key. It is a bit disturbing that the other subkey listed above has a good key binding signature. I got distracted for some time and a few weeks later the PGP team at Symantec reported back that these are all duplicated subkeys where the other subkey had no small factors. Their thesis is that this happened due to memory corruption while merging a key. They planned to investigate that further using the PGP SDK but, like me, the case was more or less forgotton. Is it possible that a keyserver running the old, buggy PKS code (v. 0.9.something) mangled these keys? Regards, Ben signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Lower Bound for Primes during GnuPG key generation (was Re: [Enigmail] Popescu and keys)
On 5/21/2015 at 3:45 PM, Werner Koch w...@gnupg.org wrote: Some guy downloaded most RSA keys from a keyserver and tried to factor 1.9 million moduli. They found 30 keys with a subkey having one of the first 1000 primes as a factor. I looked at 8 of those keys and found that 2 are likely PGP created and 6 are by GPG. = When GnuPG creates and RSA keypair, is there a minimum *low* for primes it will ignore? (i.e. Will GnuPG reject a prime for key generation if it is one of the first 1000 primes, or first million primes, or any fixed lower level?) And if so, Is it feasible to mount an attack on a keypair by starting with trying successive primes greater than this lower bound, and possibly successfully find *some* GnuPG secret keys? TIA, vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Enigmail] Popescu and keys
On Thu, 21 May 2015 18:23, d...@fifthhorseman.net said: At least one of the keys he claimed to have broken is a degraded copy of one of H. Peter Anvin's actual subkeys, as Hanno Böck pointed out here: That reminds if of a private discussion I had last autumn. Some guy downloaded most RSA keys from a keyserver and tried to factor 1.9 million moduli. They found 30 keys with a subkey having one of the first 1000 primes as a factor. He asked a few of them and while most used different versions of GnuPG one recalled to have used a commercial PGP tool to create the key in 2007. I looked at 8 of those keys and found that 2 are likely PGP created and 6 are by GPG. | Mail | S | factor | size | keyid|created | |--+---++--+--+| | | g |0x3 | 4096 | xxx7 | 2010-12-28 | | | p | 0x49a3 | 3001 | xxx2 | 2007-04-29 | | | g | 0x1125 | 4096 | 1299816A | 2011-09-22 | | | g | 0x182d | 2048 | xxx3 | 2011-09-23 | | | g |0x3 | 4096 | xxxB | 2011-08-09 | | | g | 0xc29b | 4096 | xxx0 | 2011-02-02 | | | g | 0x3cb3 | 2048 | xxxC | 2012-02-07 | | | p | 0x1f | 2048 | xxxF | 2010-01-18 | These are all encryption subkeys. The third key is the one from H. Peter Anvin. I have not found one of the fingerprints given in the said blog posting: gpg removed it while importing the key. It is a bit disturbing that the other subkey listed above has a good key binding signature. I got distracted for some time and a few weeks later the PGP team at Symantec reported back that these are all duplicated subkeys where the other subkey had no small factors. Their thesis is that this happened due to memory corruption while merging a key. They planned to investigate that further using the PGP SDK but, like me, the case was more or less forgotton. Incidentally, I met one of the other guys with a broken subkey at LinuxCon and he told me that some folks complained that they can't encrypt to him. For other this was no problem, though. My conclusion is that there are two issue: - Someone adding broken subkeys to the keyservers with a bad key-binding signature. No problem at all. - About 30 key with a valid key binding but with a partly duplicated subkey where both have a valid key binding signature. Most likely a software bug. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Enigmail] Popescu and keys
On Thu 2015-05-21 12:23:20 -0400, Daniel Kahn Gillmor wrote: Which key does he claim to have broken? If Mircea has broken your encryption-capable subkey (0xB8A6B74C001892C2) then he might only be able to decrypt messages sent to you, but not sign them. To provide him with an opportunity to demonstrate this (Hi Mircea!), i've produced this message, encrypted to rjh's encryption-capable subkey. Mircea, if you can decrypt it, you should find a secret message, signed by me, which includes within it the message-id of the e-mail i'm replying to. I've been informed by Mircea offlist that he has no interest in continuing this conversation, so i'm dropping him from CC here. It appears to me that he has nothing concrete to demonstrate, and he has shown an inability to correct factual errors he has already published. Not very impressive :( I think there's nothing interesting to see here, but if i hear anything more substantive, i'll be sure to follow up on this thread to let people know. Regards, --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Enigmail] Popescu and keys
Which key does he claim to have broken? If Mircea has broken your encryption-capable subkey (0xB8A6B74C001892C2) then he might only be able to decrypt messages sent to you, but not sign them. He didn't say. You're correct in that I made an unfounded assumption; thank you for the correction. :) Given the poor communication patterns and lack of retraction of unfounded claims, i'm not currently worried that this is a real attack. I am prepared to take it seriously if Mircea can follow up effectively on either of the challenges here, though. Likewise. I'm not worried about this, and I hope no one else on these lists is, either. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: [Enigmail] Popescu and keys
On Wed 2015-05-20 20:13:32 -0400, Robert J. Hansen wrote: In the last couple of days a few different people have pointed me to Mircea Popescu's blog, where he's claimed he's broken ~150 keys that are in common circulation among the keyservers. At least one of the keys he claimed to have broken is a degraded copy of one of H. Peter Anvin's actual subkeys, as Hanno Böck pointed out here: https://blog.hboeck.de/archives/872-About-the-supposed-factoring-of-a-4096-bit-RSA-key.html To my knowledge, Mircea (cc'ed here) has not retracted this particular claim, despite having issued at least three updates to his initial report about this key (which is not behind a paywall at the moment): http://trilema.com/2015/full-disclosure-4096-rsa-key-in-the-strongset-factored/ Unfortunately, his blog post is rather difficult to read: it's full of rude political asides that have no bearing on anything cryptological. I regret that, because it obscures what I think is a fascinating question: has he actually managed to recover private keys given just the public key? He claims to already have broken my key. If so, proving it is straightforward: sign a 256-bit value with my private key and upload it somewhere the world can see it. I'm going to be fascinated by the results, one way or another. If he can successfully do this it's going to lead to a lot of very interesting questions. For those people who are concerned about this, relax and remember to breathe. :) The 256-bit value, in base64 encoding: * anr8HIZZ1hRjeaXDxJ71qBNpw5s9r+42CqF+Bpk9vU4= Which key does he claim to have broken? If Mircea has broken your encryption-capable subkey (0xB8A6B74C001892C2) then he might only be able to decrypt messages sent to you, but not sign them. To provide him with an opportunity to demonstrate this (Hi Mircea!), i've produced this message, encrypted to rjh's encryption-capable subkey. Mircea, if you can decrypt it, you should find a secret message, signed by me, which includes within it the message-id of the e-mail i'm replying to. You can either produce the session-key (e.g. with gpg --show-session-key) or produce the signed message to demonstrate that you have control of Robert's secret key material: -BEGIN PGP MESSAGE- Version: GnuPG v2 hQIOA7imt0wAGJLCEAf/f8YJHSum4fhlU6o54747oW76E2wGPotvIU3g7kfpOBWa kjPB/x1VLrwYbCvJX2c7EmvshTwzZ2v4mqVfQ4d5shRqVCgtMiJlvxjrtQB9Rs29 6Im16cQeMNWSVT51HltoSkt5ZaA2Rx/19UEdFIRz9NR4kkXvGd3W3ZIj8FUBMHHy tLCCkaUI+9xZjQu32IVyhkUSrdSPvXMdHd0s2iaecUJxSuHeWeumTxkXZtX/ajlB VIy8Tc0zOPCK+FNhGKqasVvGhAABRxzXBLCgXu5v68hs3fv72JLdt2nbBVxG SjCN9v4FiPf5+dH+5rsKsDoEL7sIgHgiQX+m5vfs+wf/diBQW55yisHtfneQeTe4 DQc2Zl/dsOIMF5ZnouyZgW2ha2h1MG/6nYlnbrauBUYNSP19XI4YO3yt33Z4RjmD tsl92ENrio37hsOmjFOB54ail57tmkL7VoNYqBhbOnNcPK9FSPoPVsIT4t7TZm9Z uCVHa2P5/IZmUT2G9MfoZZuJDg/b4QhWOWNPEQc+qWgxB6GbEfFLSENO74xb7NN/ x6PbM7qRLqE8/rPBzm29zYBmWHKLBli4ibAuEHtXPN7pHBZiLdQ26uRl2mB+FOJy oCbgPdY+SDYKrLmi4/fL7d+kgJuWL5ox+0ZukV0vPax+ouXH/TsPN1NfMYO8t+R7 I9LpAeXFD2dTf25g8nnnC+pZK0gRgkaBHJ8YJQ3rkuL3Zn223KyAaXyIFMU18+Cc 7UiHPjNdA9imcFm0Bwu7rs0+Xu/+C/JOQf1pwhZb5/6f5BqqZAw1nhKi/lXrP4Ei mLHw5Yn1VDRBnyqtKM4EBmrSye8q+qdd5kVARyr5Rsl8NFi4PC8eM09C29h4JfFy yNZJEmJ7kqUiN/Lh1UegjaBbu0Zq1LASfAvcL040HHeMaswqEI+SZG2dI9tQcPws cqJvT/+Jx18PWOPo/sB6ITkyoeuGAUh0o+6UJ7bIxIMCNRluy8UBGxGgqi7jqPTs oXiHaf7GkMXcjZJUiYiCJH6G1GuS+mUwiIgzedCibm8TUGpLETW7hW7R4d3bcWon d6gZr/avBHNLqIWsWtaDi05x2MyBTiYqJuc2g2VRUCiXqU5ME1OoYC8KBtanQ+zj YO0bWVaDfCkbI6M8yLZ6u7glXLYLUOYhZ9/vlBgD8xbpiBo9AhUBejheqMOM55Fm AAVV7HYG78iz2tx8kv+HyC1e7Rg3AtjtphOw5tSfFMgIE9jTQZGDBE4GCyZtddQy edjX+a6MlWGN7DBttAentgFDXraKjD4zQszRNa4r0G8YiGWxTElBV1JPOrLbr8uA 9qc3Rt6cdM5Vd4AApoAxHf4L/josR0Cowm1wav6tRQxKKrXA/OYjnBDBfF2t+hAG zwikEoCrxERMF6fxvN+ovytsmvSFfMRulStl/L4i3kR/blfvZOp0FfjL5vdtboIA iGXqj7khAg5B47x3o31WgHAe0ZuzK+Vosdj5fpBk/Oo8oeHbQjPg6KOUNhOQuhey M4CDo1EJwjPbRhQNUGhK21hCHaShWS3rCCO5t/yYNEI1tdqIjpurUyxr1SlNcoqz AB+djexxxR8WZa4Mno9WVrLFDMOkcKFrWCILjL+AoGHAP0oc8jpyjiOlyWq7xvDn T4y5b9Lj0gJ1AbdOhRpymvq2WaXeZNWBlVCUFIXcHrhQLxvCPmbE56Bclt8C2cx0 +pICppn4mSMCsUhgEwGeAwl+9+lZjcbRo7au0817lXsk+BWJ1DpMBG5nO/c8ljDa +9ZgHjvN3iyb9fCsA9NngQic8o3NOYH90rFP0M+cS7HOY016UdOjF7Mk4tjjGJfJ Liv4s2+UtZA3zcodTMjeecEu421wDHp7Nj2NG9DacloVf6ZgRGKbRRLKY+59prIx hcxxCZJDZV3BooVDIkDyWhG4ztPEMBlZFw+qnyGcm1IJciWXjshfNiTQxONZQKxb jQ== =ED52 -END PGP MESSAGE- Given the poor communication patterns and lack of retraction of unfounded claims, i'm not currently worried that this is a real attack. I am prepared to take it seriously if Mircea can follow up effectively on either of the challenges here, though. Regards, --dkg ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users