FreeBSD : ElGamal sign+encrypt keys created by GnuPG can be compromised (81313647-2d03-11d8-9355-0020ed76ef5a)
Medium Nessus Plugin ID 36752
SynopsisThe remote FreeBSD host is missing a security-related update.
DescriptionAny ElGamal sign+encrypt keys created by GnuPG contain a cryptographic weakness that may allow someone to obtain the private key. These keys should be considered unusable and should be revoked.
The following summary was written by Werner Koch, GnuPG author :
Phong Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal keys for signing. This is a significant security failure which can lead to a compromise of almost all ElGamal keys used for signing.
Note that this is a real world vulnerability which will reveal your private key within a few seconds.
Please take immediate action and revoke your ElGamal signing keys.
Furthermore you should take whatever measures necessary to limit the damage done for signed or encrypted documents using that key.
Note that the standard keys as generated by GnuPG (DSA and ElGamal encryption) as well as RSA keys are NOT vulnerable. Note also that ElGamal signing keys cannot be generated without the use of a special flag to enable hidden options and even then overriding a warning message about this key type. See below for details on how to identify vulnerable keys.
SolutionUpdate the affected package.