Cryptography Reference
In-Depth Information
standard dictates both the ciphering mode and the format to ensure that you
can exchange private keys between different products.
In the event of a DSA signature based on the discrete logarithm, Mallory only
needs to modify the public signature key: he changes the logarithm base such
that it can be easily computed. This is how he reveals the secret exponent to
arrive at his goal.
Fortunately, this security flaw can be fixed. One simple solution would carry
encrypted key-dependent checksums (such as HMACs) in a separate file and
then have this file evaluated by 'secure' implementations. The most secure
solution is, however, to subsequently have the signature checked by its creator.
Though this costs additional computation time, it is negligible in view of the
time it takes to enter a passphrase. That's the solution GnuPG voted for.
In general, the attack wasn't considered to have been 'that bad' after all, because
while Mallory had gained access to Alice's computer, he could just as well have
swapped her PGP program for another one more to his liking. But things are
not quite that easy. Alice might have noticed the swap. And listening in on
her passphrase isn't that easy either. Mallory would have to be replaying at
the very moment she typed it in, or he could install a program that listens in
on it and sends him the result later. This program could also be discovered.
In contrast, if Mallory changes a bit of the private key, intercepts a signature,
and then undoes the change, what we'll then have is an (almost) perfect crime.
Alice would never be able to prove that he can forge her signature. Meanwhile,
all PGP and OpenPGP products are secured. By the way, this example shows
how farsighted it was never to use the same keys for signature and encryption;
otherwise Mallory could even have read Alice's communication traffic.
The actual cause of the entire trouble was once again lack of cryptological
knowledge: the CFB mode enables 'bit-flipping attacks', similarly to stream
ciphers, so that there has to be some integrity protection built in. This integrity
protection should not be a CBC checksum (that was the mistake in WLAN
encryption and GSM), but a cryptographic hash sum (best is an HMAC with
the passphrase as the key).
7.1.5 A Tip for Working with Keyrings
I have warned on different occasions in this topic that the private key is sort of
a universal key: if it is compromised somebody can listen in on your encrypted
traffic almost effortlessly — even in arrears. This makes a costly attack reward-
ing. For example, if Alice encrypts her messages with DES, and if Mallory
