SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#26188

Keys generated with PGP5i batch mode do not contain sufficient randomness on systems that use /dev/random

Overview

Under certain circumstances, PGP v5.0 generates keys that are not sufficiently random, which may allow an attacker to predict keys and, hence, recover information encrypted with that key.

I. Description

Generating Randomness in PGP Keys

In order to generate cryptographically secure keys, PGP (and other products) need to use random numbers as part of the input to the key generation process. Generating truly random numbers is a difficult problem. PGP has traditionally solved that problem by prompting the user to type some random characters or to move the mouse in a random manner, measuring the time between keystrokes and using this as a source of random data. Additionally, PGP uses a file (usually called randseed.bin) as a source of randomness. However, PGP also provides the ability to generate keys non-interactively (useful, for example, if you need to generate a large number of keys simultaneously or provide a script to generate a key). When generating keys non-interactively, PGP needs a source of random numbers; on some systems PGP v5.0 uses the /dev/random device to provide the required random numbers.

PGP v5.0, including U.S. Commercial, U.S. Freeware, and International versions, contains a flaw in reading the information provided by /dev/random. This is not a flaw in /dev/random but instead is the result of a flaw in how PGP processes the information returned from /dev/random. Thus, when a key is generated non-interactively using a command such as

    pgpk -g <DSS or RSA> <key-length> <user-id> <timeout> <pass-phrase>

it does not contain sufficient randomness to prevent an attacker from guessing the key. If such a command were issued on a system with no available randseed.bin file, then the resulting key may be predictable.

This problem was discovered and analyzed by Germano Caronni <gec@acm.org>, and verified by Thomas Roessler <roessler@guug.de> and Marcel Waldvogel <mwa@arl.wustl.edu>. A copy of their analysis can be found at

II. Impact

Keys produced non-interactively with PGP v5.0 on a system with a /dev/random device may be predictable, especially those produced in an environment without a pre-existing randseed.bin file.


Documents encrypted with a vulnerable key may recoverable by an attacker. Additionally, an attacker may be able to forge a digital signature corresponding to a vulnerable key.

Signatures produced using a vulnerable key, including signatures in certificates, may be untrustworthy.

III. Solution

If your PGP key was generated non-interactively using any version of PGP v5.0 on a system with a /dev/random device, you may wish to revoke it.

Documents encrypted with a predictable key may need to be re-encrypted with a non-vulnerable key, if your particular circumstances warrant it; that is, if the information still needs to be encrypted.

You may need to resign documents signed with a vulnerable key if your circumstances warrant it.

Systems Affected

VendorStatusDate NotifiedDate Updated
Network AssociatesUnknown11-Oct-2000
PGPVulnerable11-Oct-2000

References


http://www.securityfocus.com/bid/1251
http://www.securityfocus.com/templates/ archive.pike?list=1&msg=20000523141323.A28431@olymp.org

Credit

The CERT Coordination Center thanks Germano Caronni, Thomas Roessler, and Marcel Waldvogel for initially discovering and reporting this vulnerability, and for their help in developing this document. Additionally we thank Brett Thomas for his insights.

This document was written by Shawn V Hernan.

Other Information

Date Public:2000-05-30
Date First Published:2001-08-10
Date Last Updated:2001-08-10
CERT Advisory:CA-2000-09
CVE-ID(s):CVE-2000-0445
NVD-ID(s):CVE-2000-0445
US-CERT Technical Alerts: 
Metric:3.75
Document Revision:5

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader