GnuPG (GPG) 1.0.2, and other versions up to 1.2.3, creates ElGamal type 20 (sign+encrypt) keys using the same key component for encryption as for signing, which allows attackers to determine the private key from a signature.

Any ElGamal sign+encrypt keys created by GnuPG contain a cryptographic weakness that may allow someone to obtain the private key. These keys should be considered unusable and should be revoked.

The following summary was written by Werner Koch, GnuPG author :

Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing.
Note that this is a real world vulnerability which will reveal your private key within a few seconds.

...

Please take immediate action and revoke your ElGamal signing keys.
Furthermore you should take whatever measures necessary to limit the damage done for signed or encrypted documents using that key.

Note that the standard keys as generated by GnuPG (DSA and ElGamal encryption) as well as RSA keys are NOT vulnerable. Note also that ElGamal signing keys cannot be generated without the use of a special flag to enable hidden options and even then overriding a warning message about this key type. See below for details on how to identify vulnerable keys.

Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing.

This update disables the use of this type of key.

A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to ElGamal sign+encrypt keys. From Werner Koch's email message :

'Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing. Note that this is a real world vulnerability which will reveal your private key within a few seconds.

Please *take immediate action and revoke your ElGamal signing keys*.
Furthermore you should take whatever measures necessary to limit the damage done for signed or encrypted documents using that key.'

And also :

'Note that the standard keys as generated by GnuPG (DSA and ElGamal encryption) as well as RSA keys are NOT vulnerable. Note also that ElGamal signing keys cannot be generated without the use of a special flag to enable hidden options and even then overriding a warning message about this key type. See below for details on how to identify vulnerable keys.'

MandrakeSoft urges any users who use the ElGamal sign+encrypt keys to immediately revoke these keys and discontinue use of them. Updated packages are provided that remove the ability to create these keys and to create signatures using these keys (thanks to David Shaw for writing the patch).

The remote host is missing the patch for the advisory SuSE-SA:2003:048 (gpg).


The gnupg (the SUSE package is named gpg) package is the most widely used software for cryptographic encryption/decryption of data.

Two independent errors have been found in gpg (GnuPG) packages as shipped with SUSE products: 

A) A format string error in the client code that does key retrieval from a (public) key server B) A cryptographic error in gpg that results in a compromise of a cryptographic keypair if ElGamal signing keys have been used for generating the key.


A) There exists a format string error in thhe client code for key retrieval from a keyserver. gpg-1.2.x version packages are affected by this vulnerability.
The format string error can be used by an attacker performing a man-in-the-middle-attack between you and your keyserver, or by a compromised keyserver. The result is a crash of gpg or a potential execution of arbitrary code provided by the attacker, if the keyserver is used for key retrieval at the time of the attack.

B) Werner Koch, the author of the gpg package, has publicly announced a weakness in gpg that has been reported to him by Phong Nguyen: ElGamal signing keys can be attacked within seconds to reveal the private key of the keypair. It is strongly advised that ElGamal signing keys should be revoked immediately. Only ElGamal keys are affected, other types are not vulnerable.

To find out if you are using an ElGamal signing key, list your public keys using the command

gpg --list-keys your_keyid

Example:
$ gpg --list-keys build@suse.de pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de> sub  2048g/8495160C 2000-10-19 [expires: 2006-02-12] $ 

If your key lists a capital 'G' after the key's length (like in pub  1536G/...), then your key is vulnerable. A small letter 'g' after the key length does NOT indicate any problem.
ElGamal keys can be used for primary keys as well as for subkeys. In the case where only a subkey is an ElGamal key, it is sufficient to revoke this specific subkey.

To revoke a key, generate a revocation certificate using the following command:

gpg --gen-revoke your_keyid > revocation_certificate.pgp

Then, the revokation certificate must be imported into your keyring:

gpg --import < revocation_certificate.pgp

As your last action, send the key with its revocation certificate to the keyservers that know your key:

gpg --keyserver wwwkeys.eu.pgp.net --send-keys your_keyid


ElGamal keys can only be generated by gpg if a special option (--expert) has been used to reveal 'expert' options, and if a warning has been ignored after your choice to use ElGamal keys. Such keys are rare (Werner Koch reports 848 primary ElGamal signing keys and 324 vulnerable subkeys on the keyservers.). Therefore, we expect that only experienced users of gpg may be vulnerable to the ElGamal signing key error.

Updated gnupg packages are now available for Red Hat Enterprise Linux.
These updates disable the ability to generate ElGamal keys (used for both signing and encrypting) and disable the ability to use ElGamal public keys for encrypting data.

GnuPG is a utility for encrypting data and creating digital signatures.

Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys, when those keys are used both to sign and encrypt data.
This vulnerability can be used to trivially recover the private key.
While the default behavior of GnuPG when generating keys does not lead to the creation of unsafe keys, by overriding the default settings an unsafe key could have been created.

If you are using ElGamal keys, you should revoke those keys immediately.

The packages included in this update do not make ElGamal keys safe to use; they merely include a patch by David Shaw that disables functions that would generate or use ElGamal keys.

To determine if your key is affected, run the following command to obtain a list of secret keys that you have on your secret keyring :

gpg --list-secret-keys

The output of this command includes both the size and type of the keys found, and will look similar to this example :

/home/example/.gnupg/secring.gpg
---------------------------------------------------- sec 1024D/01234567 2000-10-17 Example User <example@example.com> uid Example User <example@example.com>

The key length, type, and ID are listed together, separated by a forward slash. In the example output above, the key's type is 'D' (DSA, sign and encrypt). Your key is unsafe if and only if the key type is 'G' (ElGamal, sign and encrypt). In the above example, the secret key is safe to use, while the secret key in the following example is not :

/home/example/.gnupg/secring.gpg
---------------------------------------------------- sec 1024G/01234567 2000-10-17 Example User <example@example.com> uid Example User <example@example.com>

For more details regarding this issue, as well as instructions on how to revoke any keys that are unsafe, refer to the advisory available from the GnuPG website :

http://www.gnupg.org/

ID	Name	Product	Family	Severity
36752	FreeBSD : ElGamal sign+encrypt keys created by GnuPG can be compromised (81313647-2d03-11d8-9355-0020ed76ef5a)	Nessus	FreeBSD Local Security Checks	medium
15266	Debian DSA-429-1 : gnupg - cryptographic weakness	Nessus	Debian Local Security Checks	medium
14091	Mandrake Linux Security Advisory : gnupg (MDKSA-2003:109)	Nessus	Mandriva Local Security Checks	medium
13816	SuSE-SA:2003:048: gpg	Nessus	SuSE Local Security Checks	medium
12439	RHEL 2.1 / 3 : gnupg (RHSA-2003:395)	Nessus	Red Hat Local Security Checks	medium

Detections

Analytics

CVE-2003-0971

high

Tenable Plugins

medium

medium

medium

medium

medium