18-year-old random number generator flaw fixed in Libgcrypt, GnuPG
Researchers have discovered a “critical security problem” that affects all versions of the Libgcrypt cryptographic library and, therefore, all versions of the GnuPG (a.k.a. GPG) hybrid-encryption software.
The researchers – Felix Dörre and Vladimir Klebanov of the Karlsruhe Institute of Technology, Germany – define the issue as a design flaw that exists in the mixing function of the Libgcrypt pseudorandom number generator (PRNG).
“An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions,” shared Werner Koch, the author of Libgcrypt.
The bug has now been fixed, and he advises users of GnuPG-2 to update Libgcrypt to version 1.7.3, 1.6.6, or 1.5.6, and users of GnuPG-1 to upgrade to version 1.4.21.
The issue has been documented in this paper, but the researchers made “no claims about the effect of the flaw on the security of generated keys or other artifacts.”
They haven’t released a working exploit, but the flaw is apparently easy to exploit, but not remotely.
Koch says that a first analysis on the impact of this bug in GnuPG shows that existing RSA keys are not weakened.
“For DSA and Elgamal keys it is also unlikely that the private key can be predicted from other public information. This needs more research and I would suggest not to overhasty revoke keys,” he added.
GnuPG implements the OpenPGP standard and allows users to encrypt and sign their data and communication. It is maintained by German developer Werner Koch, who depends on donations to keep the project running.