#695 ✓released
Victor Hora

MacGPG2 potentially vulnerable to side-channel attack on RSA secret keys CVE-2017-7526

Reported by Victor Hora | July 4th, 2017 @ 06:07 PM | in 2.2.0 (closed)


First and foremost: great work on the project folks!

I've noticed the current build is using libgcrypt 1.6.x from last year.

I'm just wondering if a new build / beta should come out with the latest version (1.7.8) of libgcrypt in light of the new a flush+reload side-channel attack on RSA secret keys dubbed "Sliding right into disaster" [1] [2]

"Note that this side-channel attack requires that the attacker can run arbitrary software on the hardware where the private RSA key is used.
Allowing execute access to a box with private keys should be considered
as a game over condition, anyway. Thus in practice there are easier
ways to access the private keys than to mount this side-channel attack.
However, on boxes with virtual machines this attack may be used by one
VM to steal private keys from another VM." [3]

[1] https://eprint.iacr.org/2017/627 [2] https://thehackernews.com/2017/07/gnupg-libgcrypt-rsa-encryption.ht... [3] https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.html


Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Shared Ticket Bins

People watching this ticket