Libgcrypt/GnuPG Hit By Critical Security Problem Since 1998

Written by Michael Larabel in GNU on 17 August 2016 at 04:15 PM EDT. 18 Comments
GNU
Werner Koch today publicly announced that Libgcrypt and GnuPG have a "critical security problem" with all versions released prior to today and it affects all platforms.

Koch noted in today's security announcement, "Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of Technology found a bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions."

This issue is CVE-2016-6316. Again, all libgcrypt and GnuPG versions are affected on all platforms. Werner added, "A first analysis on the impact of this bug in GnuPG shows that existing RSA keys are not weakened. For DSA and Elgamal keys it is also unlikely that the private key can be predicted from other public information. This needs more research and I would suggest _not to_ overhasty revoke keys."
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week