GnuPG Project Fixes "Critical Security Problem" That Existed Since 1998

Datetime:2016-08-23 03:22:02          Topic:          Share

The GnuPG project released an advisory last week, advising users to update their software to the latest version, which includes a fix for a "critical security problem" that affects all GnuPG (GPG, or Gnu Privacy Guard) versions released in the last 18 years.

The bug affects the mixing functions in the RNG (random number generator) used for Libgcrypt, a core GPG library.

Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of

Technology discovered the issue, tracked by the CVE-2016-6316 ID. They say that an attacker who manages to obtain 4640 bits from the RNG can trivially predict the next 160 bits of its output.

Werner Koch, GPG's creator and main developer, says that this does not weaken existing keys and recommends that users not hurry to revoke existing keys. He also says that it is unlikely that an attacker could guess or compromise private keys generated via the DSA and ElGamel algorithms, based on existing public information.

Other applications that implement GPG or Libgcrypt should update their code, Koch recommends. He says that all versions released before August 17, 2016, are affected, on all OS platforms.

Koch released GPG/GnuPG versions 1.4.21 and 2.1.15 to address this issue. Safe Libgcrypt versions are 1.7.3, 1.6.6, and 1.5.6.

GPG/GnuPG is a software package that allows users to encrypt their communications. Users install it to encrypt email exchanges, but the base package is also embedded in many other products to provide encryption support.