|
|
Info |
Last Modified |
| 10 months ago |
|
|
|
|
Description |
PGP contains a flaw that may cause public and private keys to be generated without sufficient randomness potentially compromising the integrity and strength of the keys. The issue is due to a flaw in the "pgpk" program and it's reliance on /dev/random for entropy/randomness when creating new key pairs. If a user fails to use a long pass phrase and fails to input characters when prompted, the strength of the key pair may be significantly weakened to allow for cryptographic attack against the key pair.
|
|
Classification |
Location:
Local Access Required,
Remote/Network Access Required
Attack Type:
Cryptographic
Impact:
Loss of Confidentiality,
Loss of Integrity
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
|
|
Technical |
This vulnerability only affects PGP 5.0i unix based installations that rely on /dev/random for key generation entropy (such as Linux and some BSDs). This vulnerability does not affect keys that were generated and relied on user input for randomness or that used a long user ID/pass phrase. This vulnerability does not affect systems that had a random seed file already present.
|
|
Solution |
Upgrade to version 6.0 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workarounds: During key generation enter lots of characters when prompted, use a lengthy key ID and pass phrase.
|
|
Products |
|
PGP
 |
5.0 |
|
|
|
|
Credit |
- Germano Caronni - gec
 acm.org -
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
