GnuPG Project Fixes 18-Year-Old Bug

Tuesday, August 23, 2016 @ 02:08 PM gHale


The GnuPG project just fixed a critical security issue that has been around for 18 years.

The vulnerability affects the mixing functions in the RNG (random number generator) used for Libgcrypt, a core GnuPG (GPG, or Gnu Privacy Guard) library.

RELATED STORIES
Android Hit by Linux TCP Flaw
Fixing an Internet Security Threat
New Cache Attack for Android Devices
Wireless: 900M Android Devices Vulnerable

Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of Technology discovered the issue, tracked by the CVE-2016-6316 ID. They said an attacker who manages to obtain 4640 bits from the RNG can predict the next 160 bits of its output.

Werner Koch, GPG’s creator and main developer, said this does not weaken existing keys and recommends users not hurry to revoke existing keys. He also said it is unlikely an attacker could guess or compromise private keys generated via the DSA and ElGamel algorithms, based on existing public information.

Other applications that implement GPG or Libgcrypt should update their code, Koch said. He said all versions released before August 17 suffer from the issue on all OS platforms.

Koch released GPG/GnuPG versions 1.4.21 and 2.1.15 to address this issue. Safe Libgcrypt versions are 1.7.3, 1.6.6, and 1.5.6.

GPG/GnuPG is a software package that allows users to encrypt their communications. Users install it to encrypt email exchanges, but the base package also ends up embedded in many other products to provide encryption support.