Gentoo Archives: gentoo-dev

From: Paul de Vrieze <pauldv@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Signing everything, for fun and for profit
Date: Sun, 21 May 2006 10:48:36
Message-Id: 200605211240.52089.pauldv@gentoo.org
In Reply to: Re: [gentoo-dev] Signing everything, for fun and for profit by "Robin H. Johnson"
1 On Saturday 20 May 2006 22:47, Robin H. Johnson wrote:
2 > The basic form of it, is a vulnerability towards a class of attacks that
3 > require a large supply of signed/encrypted material.
4 > For a primer on various modes of using block ciphers, see
5 > Wikipedia: http://tinyurl.com/bbcmf
6 >
7 > It's conceivable that (and this is the absolute worst case), under this
8 > class of attack, a lot of signing may ultimately reveal bits of your
9 > key, because the attacker has both the plaintext and ciphertext, and can
10 > ultimately compute it - this can either be brute-force, or
11 > mathematically (consider it solving algebra).
12
13 Once one developer has been compromised, there is even a chosen plaintext
14 attack path. Making it even worse.
15
16 Paul
17
18 --
19 Paul de Vrieze
20 Gentoo Developer
21 Mail: pauldv@g.o
22 Homepage: http://www.devrieze.net