Security researchers have discovered a critical flaw (labeled CVE-2017-7526) in the GnuPG cryptographic library that enabled the researchers to completely crack 1024-bit RSA encryption and successfully obtain the secret RSA key to decrypt data.
GnuPG is a hybrid-encryption software program because it uses a combination of conventional symmetric-key cryptography for speed, and public-key cryptography for ease of secure key exchange, typically by using the recipient’s public key to encrypt a session key which is only used once. This mode of operation is part of the OpenPGP standard and has been part of PGP from its first version.
GnuPG software has been used by NSA (National Security Agency) to keep the communications secure (encrypted).
Researchers said:
“In this paper, we demonstrate a complete break of RSA-1024 as implemented in Libgcrypt. Our attack makes essential use of the fact that Libgcrypt uses the left-to-right method for computing the sliding-window expansion,”
“Note that this side-channel attack requires that the attacker can run arbitrary software on the hardware where the private RSA key is used. Allowing execute access to a box with private keys should be considered as a game over condition, anyway. Thus in practice there are easier ways to access the private keys than to mount this side-channel attack. However, on boxes with virtual machines this attack may be used by one VM to steal private keys from another VM.”
A patch has been released for the Libgcrypt library, Debian users can update the library here and Ubuntu can update the library here.