GnuPG Silent Import of Secret Keys Vulnerability

GnuPG is the GNU Privacy Guard, a public key program designed to facilitate secure email between parties. A problem exists which could allow a breaking of the ring of trust.

The problem occurs in the trust of secret keys by GnuPG. GnuPG considers the public keys that correspond to known secret keys to be trusted in entirety. However, GnuPG imports secret keys from key servers silently, and can therefore break the trust model by accepting a secret key that corresponds to a key held in the public ring. This makes it possible for a user with malicious intent to infiltrate and break the trust of a group by uploading a public and private key to a certificate authority or key server, and creating a situation that would allow a user to import the public key and private key to their keyring.


 

Privacy Statement
Copyright 2010, SecurityFocus