[Mageia-dev] PGP keys and package signing

Tue Feb 1 01:35:36 CET 2011

On Tue, 01 Feb 2011 00:15:36 +0100, Michael Scherer wrote about Re:
+[Mageia-dev] PGP keys and package signing:
+
+>Le lundi 31 janvier 2011 à 21:49 +0000, Dick Gevers a écrit :
+>> On Mon, 31 Jan 2011 17:18:25 +0100, Michael Scherer wrote about Re:
+>> [Mageia-dev] PGP keys and package signing:
+>> 
+>> >The problem is not leaking the key, it is about cryptographic attacks
+>> >about older keys.
+>> >
+>> >If in 10 years, there is some technology that allows people to get our
+>> >private key by bruteforce on the public one
+>> 
+>> You can never ever obtain the private key from the public one, that is
+>> impossible. It can only be compromised if someone looses the private key
+>> plus the password is cracked.
+>
+>Some secure systems have been seen compromised ( like
+>http://www.win.tue.nl/hashclash/rogue-ca/, who explain how the whole SSL
+>business was compromised 2 years ago, or see the GSM being cracked at
+>this year 27C3 ). 
+>
+>And Debian also got ride of older vulnerable gpg keys ( see
+>http://lists.debian.org/debian-devel-announce/2010/04/msg00018.html and
+>http://lists.debian.org/debian-devel-announce/2010/09/msg00003.html ),
+>so I would not be so optimistic about the "never".
+>
+>Technically, MD5 should not have been reversible, but see how easy it is
+>using a rainbow table. Granted, that's a 20 year protocol, but that's
+>still widely used in lots of software.
+
+Sorry, but I am not convinced: the gpg key we are talking about consists of
+2 parts: the private key is separate from the public key, or signing key.
+The signing key is a separate or subkey and does not contain any part of the
+private key. So you can throw any amount of computing power at it, but
+there is nothing inside the public key that will enable the rebuilding of
+the private key from it.
+
+Ciao,
+=Dick Gevers=
+