[Mageia-dev] PGP keys and package signing

Michael Scherer misc at zarb.org
Tue Feb 1 00:15:36 CET 2011


Le lundi 31 janvier 2011 à 21:49 +0000, Dick Gevers a écrit :
> On Mon, 31 Jan 2011 17:18:25 +0100, Michael Scherer wrote about Re:
> [Mageia-dev] PGP keys and package signing:
> 
> >The problem is not leaking the key, it is about cryptographic attacks
> >about older keys.
> >
> >If in 10 years, there is some technology that allows people to get our
> >private key by bruteforce on the public one
> 
> You can never ever obtain the private key from the public one, that is
> impossible. It can only be compromised if someone looses the private key
> plus the password is cracked.

Some secure systems have been seen compromised ( like
http://www.win.tue.nl/hashclash/rogue-ca/, who explain how the whole SSL
business was compromised 2 years ago, or see the GSM being cracked at
this year 27C3 ). 

And Debian also got ride of older vulnerable gpg keys ( see
http://lists.debian.org/debian-devel-announce/2010/04/msg00018.html and
http://lists.debian.org/debian-devel-announce/2010/09/msg00003.html ),
so I would not be so optimistic about the "never".

Technically, MD5 should not have been reversible, but see how easy it is
using a rainbow table. Granted, that's a 20 year protocol, but that's
still widely used in lots of software.

-- 
Michael Scherer



More information about the Mageia-dev mailing list