[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Analyzing key server data
|
From: |
Daniel Roesler |
|
Subject: |
Re: [Sks-devel] Analyzing key server data |
|
Date: |
Sun, 22 Mar 2015 08:33:01 -0700 |
Great paper! Thanks!
>From the paper:
> However when trying to calculate the private keys it turns out most
> of these results aren't real signatures.
I was under the impression that SKS verified signature packets both
during upload and during gossip. If so, how did invalid or corrupt
signature packets make it into the database? Do you have a count of
the total number of invalid signature packets?
Daniel
On Sun, Mar 22, 2015 at 4:58 AM, Hanno Böck <address@hidden> wrote:
> Hi,
>
> I think this could be interesting for a couple of people:
>
> I had a project running in private for quite a while, I now published
> the details: I wrote a script that analyzes the dumps from key servers
> and puts the crypto values into a mysql database.
>
> This can be used to search for vulnerable keys or signatures on large
> scale. I did this for two potential threats: DSA signatures with
> duplicate k values and RSA keys with shared factors.
>
> The overall result is a good one: It seems OpenPGP implementations with
> completely broken random number generators exist, but they are a rare
> thing.
>
> Code:
> https://github.com/hannob/pgpecosystem
>
> Background paper:
> http://eprint.iacr.org/2015/262
>
> cu,
> --
> Hanno Böck
> http://hboeck.de/
>
> mail/jabber: address@hidden
> GPG: BBB51E42
>
> _______________________________________________
> Sks-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/sks-devel
>