Victory by KO: Attacking OpenPGP Using Key Overwriting

Thu 01Dec2022

Lara Bruseghini, ProtonMail

From 12.00 until 13.30

At CNB/F/110 (Lunch) + CAB G 52 (Seminar), ETH Zurich

CNB/F/110 (Lunch) + CAB G 52 (Seminar), ETH Zurich


I'll present a set of attacks on the OpenPGP specification and implementations of it which result in full recovery of users' private keys. The attacks exploit the lack of cryptographic binding between the different fields inside an encrypted private key packet, which include the key algorithm identifier, the cleartext public parameters, and the encrypted private parameters. This allows an attacker who can overwrite certain fields in OpenPGP key packets to perform cross-algorithm attacks, causing a user's software to, for example, misinterpret an ECC private key as being a DSA key. It also allows an attacker to replace the legitimate public parameters with adversarially chosen ones, e.g. allowing them to select the DSA group. We refer to this class of attacks as Key Overwriting (KO) attacks. After giving an overview of the vulnerability of different OpenPGP libraries to KO attacks, I'll show how in some cases additional key validation steps performed by libraries that should prevent the attacks in fact allow variant attacks. I'll also discuss the applicability of KO attacks in the context of specific OpenPGP-based applications.

Join us in CNB/F/110 (Lunch) + CAB G 52 (Seminar).

Download Event to Calendar