Flutterby™! : GPG paranoia: justified

Next unread comment / Catchup all unread comments User Account Info | Logout | XML/Pilot/etc versions | Long version (with comments) | Weblog archives | Site Map | | Browse Topics

GPG paranoia: justified

2013-12-18 18:02:55.157876+01 by Dan Lyke 0 comments

Make sure you're running GPG 2+ or 1.4.16+: [Announce] [security fix] GnuPG 1.4.16 released:

The second attack is more serious. It is an adaptive chosen ciphertext attack to reveal the private key. A possible scenario is that the attacker places a sensor (for example a standard smartphone) in the vicinity of the targeted machine. That machine is assumed to do unattended RSA decryption of received mails, for example by using a mail client which speeds up browsing by opportunistically decrypting mails expected to be read soon. While listening to the acoustic emanations of the targeted machine, the smartphone will send new encrypted messages to that machine and re-construct the private key bit by bit. A 4096 bit RSA key used on a laptop can be revealed within an hour.

Details of the attack at http://www.cs.tau.ac.il/~tromer/acoustic/

[ related topics: Invention and Design Sports Pop Culture Cryptography ]

comments in descending chronological order (reverse):