The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: Minor PGP vulnerability



-----Forwarded message from weidner@IFI.UNIZH.CH (Harald Weidner)-----

Approved-By: aleph1@UNDERGROUND.ORG
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Description: Main Body
X-Mailer: Mutt 0.69
Message-ID:  <19970715230248.05951@ifi.unizh.ch>
Date:         Tue, 15 Jul 1997 23:02:48 +0200
Reply-To:     weidner@IFI.UNIZH.CH
From:         Harald Weidner <weidner@IFI.UNIZH.CH>
Subject:      Minor PGP vulnerability
To:           BUGTRAQ@NETSPACE.ORG
X-Loop: bugtraq@Infodrom.North.DE
Precedence: bulk

Hi,

I'm not quite sure wether this belongs to this list, but since
there were several application related security bugs posted here,
I post this one, too. I have written some code for exploitation of
a well known security hole in PGP.

As you might know, PGP uses a 32-Bit number, called key-ID, as
an internal index for storing and recognizing keys. Although
the key-ID's are quite randomly distributed within 31 of the
32 bits (the key-ID is always odd), the scheme how this key id
is derived from the (public) key is not cryptographically secure.
It is possible to generate keys which have a certain, predefined
key-ID. This can confuse users and key servers, as pgp does not
accept several different keys with the same key id.

This is exactly what my patch does. You can find it on
http://www.ifi.unizh.ch/~weidner/pgp-keyid.patch. The file
size is about 11kB. I don't post it here to protect the
list server from exporting cryptographic software. The patch
is against PGP-2.6.3ia.

As a consequence, when obtaining PGP keys from insecure sources,
you should always check for the existance of a key with the same
key-ID in your own public keyring. To verify a key, always use
the fingerprint and never the key-ID.

Harald


--
Harald Weidner                   http://www.ifi.unizh.ch/~weidner/


-----End of forwarded message-----

-- 
  / Martin Schulze  *  joey@infodrom.north.de  *  26129 Oldenburg /
 /                              No question is too silly to ask, /
/    but, of course, some are too silly to answer  -- perl book /


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .