[Mageia-dev] PGP keys and package signing

Tue Feb 1 00:15:36 CET 2011

Le lundi 31 janvier 2011 à 21:49 +0000, Dick Gevers a écrit :
+> On Mon, 31 Jan 2011 17:18:25 +0100, Michael Scherer wrote about Re:
+> [Mageia-dev] PGP keys and package signing:
+> 
+> >The problem is not leaking the key, it is about cryptographic attacks
+> >about older keys.
+> >
+> >If in 10 years, there is some technology that allows people to get our
+> >private key by bruteforce on the public one
+> 
+> You can never ever obtain the private key from the public one, that is
+> impossible. It can only be compromised if someone looses the private key
+> plus the password is cracked.
+
+Some secure systems have been seen compromised ( like
+http://www.win.tue.nl/hashclash/rogue-ca/, who explain how the whole SSL
+business was compromised 2 years ago, or see the GSM being cracked at
+this year 27C3 ). 
+
+And Debian also got ride of older vulnerable gpg keys ( see
+http://lists.debian.org/debian-devel-announce/2010/04/msg00018.html and
+http://lists.debian.org/debian-devel-announce/2010/09/msg00003.html ),
+so I would not be so optimistic about the "never".
+
+Technically, MD5 should not have been reversible, but see how easy it is
+using a rainbow table. Granted, that's a 20 year protocol, but that's
+still widely used in lots of software.
+
+-- 
+Michael Scherer
+
+