Vulnerabilidad PGP ?

Nessuna risposta
Iscritto: 05/18/2014

Ha salido hoy la noticia pero no se si coge al PGP de Trisquel: ROCA: Vulnerable RSA generation (CVE-2017-15361)

Hay algunos test offline si alguien quiere verlo.
El problema es el chip y el firmware , que no se si son privativos, pero que ejemplifican el "on-chip software" del que tanto debatimos.

("Generate a secure RSA keypair outside the device (e.g., via the OpenSSL library)" Supongo q esto ya lo hace trisquel. Pero el articulo dice cosas q me llaman la atencion:

A remote attacker can compute an RSA private key from the value of a public key. The private key can be misused for impersonation of a legitimate owner, decryption of sensitive messages, forgery of signatures (such as for software releases) and other related attacks.

" The actual impact of the vulnerability depends on the usage scenario, availability of the public keys and the lengths of keys used. We found and analyzed vulnerable keys in various domains including electronic citizen documents, authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP. The currently confirmed number of vulnerable keys found is about 760,000 but possibly up to two to three magnitudes more are vulnerable. The details will be presented in two weeks at the ACM CCS conference. "

y ...

" As the vulnerability is present in the on-chip software library and not limited just to a particular batch of hardware, the only reliable way is to generate an RSA keypair on the device and test the public key by the provided tools. It is recommended to test also the keys already in use. We believe the tools are very accurate - it is highly unlikely that a secure key would be flagged, as well as that a vulnerable key would be missed. "

En fin ya comentais si os parece factible