Abstract:
More and more software use cryptography.
But how can one know if what is implemented is good cryptography?
For proprietary software, one cannot say much unless one proceeds
to reverse-engineering,
and history tends to show that bad cryptography is much more frequent
than good cryptography there.
Open source software thus sounds like a good solution,
but the fact that a source code can be read does not imply that it is actually read,
especially by cryptography experts.
In this paper, we illustrate this point
by examining the case of a basic Internet application
of cryptography: secure email. We analyze parts of the source code
of the latest version of GNU Privacy Guard (GnuPG or GPG), a free open source
alternative to the famous PGP software, compliant with the OpenPGP standard,
and included in most GNU/Linux distributions such as Debian, MandrakeSoft, Red Hat and SuSE.
We observe several cryptographic flaws in GPG v1.2.3.
The most serious flaw has been present in GPG for almost four years:
we show that as soon as one (GPG-generated) ElGamal signature of
an arbitrary message is released,
one can recover the signer's private key in less than a second on a PC.
As a consequence, ElGamal signatures and the so-called ElGamal sign+encrypt keys
have recently been removed from GPG. Fortunately,
ElGamal was not GPG's default option for signing keys.