6

When receiving emails, I sometimes see the following:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

I found an integer overflow in PHP, in the conversation of dates to "Julian Day Count" function.

The commit, with a PoC can be found here: https://github.com/MegaManSec/php-src/commit/a538d2f5605798422f2746636 ecdc300f8ebcaa1
Use CVE-2015-1353.

CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington
Road, Bedford, MA 01730 USA [ PGP key available through
http://cve.mitre.org/cve/request_id.html ]

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUw/LpAAoJEKllVAevmvmsiYoH/Ag+n/8x+blfJyccUhjt39bp
nRxsuZw2MIx7COJcoufIxeycu2YGnm1O9RxZBA9lKmVYjb0wjMi9yHogcWkT8UOo 
i93ARMw7V6UFp1nV+2Kv5BgVh2EcwEBXyDkKkcaN2l68Dm3nRoApMB4i4m7G67BC 
K2T1L4eq1orQCNaR7n4hup2155pHZbLqZQRMAYn5EGQPr/+zPjgq+PQKes631US5 
SXrnthRKOAfZk9QVIlxf5t1JfVvC3Cta0HgETTaXJ8TbqEAA5AXw8hl+RmhWgFnI 
Cto73LM+iiA1tyxDXdXnfdRqV/uxmqK+FCgO6asyCuT7EYOpBZ74Wmq1z+RVJRc=
=VLR4 
-----END PGP SIGNATURE-----

From what I understand a digital signature works in the following way:

  1. The content of the message is hashed to provide a fixed length output of the entire content.
  2. The hash which is generated is then encrypted with the senders private key (PS: I thought public key was used to encrypt things, different context?)
  3. The process above creates a digital signature which is transmitted with the original message
  4. The receiver uses the public key to decrypt the ciphertext to return the hash and then hashes the message them-self to see if its the same

The problem I cant understand is the public key part, in the example above from Mitre, there is no public key sent for me to decrypt the signature. So how do I go about verifying this signature? I can see that they have provided a link "PGP key available throught" but this link contains the key ID. What is this key ID and is it what I need to find the public key?

RoraΖ
  • 12,347
  • 4
  • 51
  • 83
W Khan
  • 75
  • 1
  • 6

2 Answers2

3

Finding CVE's PGP/KEY

This article explains how to search for a GPG key, and specifically the CVE site's public key. There are instructions on how to import it there, and I've provided basic importation instructions below.

Typical GPG/PGP

In PGP/GPG when a user generates a key there is a key ID also associated with it. You'll notice, in the link that you provided, that the last 4 bytes of the fingerprint are also the key ID.

Generally, the user will upload their public key to a key server. The key ID is what the key server uses to look up keys within its database. Other users can search the key server for the key ID associated with the data they're trying to decrypt or verify. GPG uses your keychain to perform all of its operations. On a Linux box you can install GPG.

Debian:

sudo apt-get install pgpgpg

You can then import keys into your keychain with a given key ID from a keyserver:

gpg --recv-keys 0x<key_id> --keyserver 'http://key-server.org'

Or if you have the keyfile:

gpg --import <keyfile>

There are a few ways that a document can be signed. One way by creating a detached signature file. In this case you can do the following:

gpg --verify file-1.2.3.tar.sig file-1.2.3.tar

However, in your case you have both the message and the signature in the same file. You can tell because you have both -----BEGIN PGP SIGNED MESSAGE----- and -----BEGIN PGP SIGNATURE----- within the message. In this case you can just do the following:

gpg --output your-file.txt --decrypt my-file.gpg


For each of these verify commands GPG will attempt to look in your keychain for the key used to sign the message. If it can't find it then it will print an error message.

You mentioned that you see this in emails. If you're using Thunderbird there is an extension called Enigmail that will allow you to set keyservers, import GPG/PGP keys, and encrypt/decrypt/verify email signatures for you.


To answer your questions on how public keys and private keys relate I would read through Thomas Pornin's Answer here.

RoraΖ
  • 12,347
  • 4
  • 51
  • 83
  • But the keyid is a small length. There are not enough combinations are there? Is there a possibility that the keyid will be the same for two keys? – W Khan Jan 29 '15 at 14:38
  • With 2^32 possible combinations it would take something like 2^16 (65536) keys before we can expect the 4 bytes at the end to collide. I'm not exactly sure how they resolve these issues. There are reasons why this system isn't in wide spread use. – RoraΖ Jan 29 '15 at 14:41
  • Brilliant explanation from both answers however I cant upvote as I require 15 reputation. thanks – W Khan Jan 29 '15 at 14:51
  • I guess there is no need for installing `pgpgpg` unless you want to use the same commands that are used in the proprietary PGP. – unor Jan 29 '15 at 16:00
1

I dont have much inside into pgp or gpg, but i can tell you how this would work with simple rsa.

If you want to sign something you encrypt it with your private key, anyone who gets this message can decrypt it with your public key and thus knows that someone who has the private key has sent this message (hopefully only you have the private key).

If both had rsa keys you could encrypt it with your private key and then encrypt it with the public key of the person you want to send the message to. The receiver then decrypt the message accordingly and you have a message that only one person can open and only one person could have sent.

As far as i understand pgp and gpg they hash the messages with a secret key and then they encrypt this key with RSA.

For your problems with the keys: there are public key servers ( eg. MIT: https://pgp.mit.edu/)

yamm
  • 111
  • 3
  • thanks - however in pgp how is that secret key derived? is this the private key of the public/private pair? Also in asymmetric key encryption. are both keys able to encrypt/decrypt. So if I encrypt with the public key I will be able to decrypt with the private key and vice versa? – W Khan Jan 29 '15 at 14:06
  • @WKhan pgp and gpg use RSA for asymmetric encryption. Both keys can decrypt what the other key encrypts ('vise versa'). It doesnt matter which key is the private one and which one public. The only thin that matter is that the private one stays private ;-) read the wikipedia article on how it works & keys are created. there are also some good youtube vids which explain it very well. http://en.wikipedia.org/wiki/RSA_%28cryptosystem%29 – yamm Jan 29 '15 at 14:32
  • Encrypting "with your private key" can be broken by [the attack described here](http://crypto.stackexchange.com/q/14875/991). See [this answer](http://security.stackexchange.com/a/68836/49075). –  Jan 29 '15 at 14:50
  • @RickyDemer This seems like a fundamental flaw in this algorithm. Why are we still using this? On a related note, is there a explanation on why the private key cant be reversed into the public key? As far as I understand the private key is used to create the public key, right? – W Khan Jan 29 '15 at 14:54
  • @RickyDemer yes, RSA is built on the principle that its very hard to find the 2 prime factors of a 20 digit number. TLS and SSL are examples where RSA is implemented like 90% of other security. Basically the whole internet is build on top of it. – yamm Jan 29 '15 at 15:03
  • @WKhan: I'm not aware of any implementations of that (unlike actual RSA signature schemes), although I would imagine that there has been at least one due to that phrase being thrown around so carelessly. One can add any multiple of [lambda](https://en.wikipedia.org/wiki/Carmichael_function)(modulus) to either exponent to get another valid key pair. Key generation could use the private key to create the public key, although that would usually result in much bigger public exponents than just generating them in an interleaved manner. –  Jan 29 '15 at 15:33
  • @YannikAmmann: Well then, we're in trouble, since even the free version of wolfram|alpha can easily "find the 2 prime factors of a 20 digit number." –  Feb 01 '15 at 22:20
  • @RickyDemer yeah sry about that ;-) a 1024 bit key is 309 digits long http://en.wikipedia.org/wiki/RSA_numbers#RSA-1024 and an interesting thread about the security of rsa http://crypto.stackexchange.com/questions/1978/how-big-an-rsa-key-is-considered-secure-today – yamm Feb 02 '15 at 09:31