Multiple Vendor PGP5 Automatic Key Generation Routine Vulnerability

A vulnerability exists in the way PGP5 generates random keying material, when used without user input. When a keypair is generated using:
pgpk -g <DSS or RSA> <key-length> <user-id> <timeout> <pass-phrase>
pgp will automatically generate the key without any user intervention. On systems which support /dev/random, it generates this key material by reading from this device in 1 byte increments:
RandBuf = read(fd, &RandBuf, count);

which it then feeds in to its random pool. Unfortunately, the above logic is flawed; read() returns the number of characters read. As count is always initialized to 1 in this case, RandBuf will always be assigned the value 1. This makes it easy to predict keys. RSA keys generated this way are predictable; DSA/ElGamal signature (DSA) keys are predictable, while encryption keys (ElGamal) vary.

Users running pgp are not vulnerable provided one of the following are true:

1) They interactively generated the keys -- this would entail entering a large amount of random characters at the keyboard
2) They had a previous installation of PGP 5 which had been used, and had a pre-existing random seed file.
3) They're running a 2.x, 2.xi, 6.x or 6.xi distribution.
4) The platform they are using does not have a /dev/random device.


Privacy Statement
Copyright 2010, SecurityFocus