Mailing List Archive

Key Management - BSI had send private key instead of public key
Hello,

According to an article on the German site golem.de[1]
Germany's BSI[2] had sent its private key instead of
it's public key to a user via email, who requested its
public key.

I am only familiar with GnuPG command line usage
and assume that they may use a GUI based program
or add-on for an MUA.

My question is what can cause this, let's say if you
have a busy and stressful day and would accidentally
carry out such operation, as security professional
knowing such a cryptographic tool for a long time,
I assume.

If this can happen to professionals then it would
tell me that there is a design flaw in the software
used.

Because this german article does not go into details, has
someone of you more details on how this happened?

Regards
Stefan

[1]
https://www.golem.de/news/verschluesselung-bsi-verschickt-privaten-pgp-schluessel-2111-161073.html

[2] https://www.bsi.bund.de/EN/Home/home_node.html



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Management - BSI had send private key instead of public key [ In reply to ]
Stefan,

On Wed, 17 Nov 2021 at 11:47, ?????? ???????? via Gnupg-users
<gnupg-users@gnupg.org> wrote:
> If this can happen to professionals then it would
> tell me that there is a design flaw in the software
> used.

https://www.gnupg.org/gph/en/manual/r887.html is explicit that it will
"export-secret-keys"

I haven't confirmed the fingerprint of every Public Key they made
available for download on their web pages but it may have just been
one Private Key that was compromised rather than many Public Keys but
if want use their search function on their web page with "PGP
Fingerprint" and "GPG Fingerprint"?


--
Regards,
Christian Heinrich

http://cmlh.id.au/contact

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Management - BSI had send private key instead of public key [ In reply to ]
Am 17.11.21 um 00:17 schrieb ?????? ???????? via Gnupg-users:
[...]
> My question is what can cause this, let's say if you
> have a busy and stressful day and would accidentally
> carry out such operation, as security professional
> knowing such a cryptographic tool for a long time,
> I assume.
>
> If this can happen to professionals then it would
> tell me that there is a design flaw in the software
> used.
[...]
The folks working at the BSI are -for the most- not professional technicians, they are administrative officers. Don't believe there are a lot of people working, who know much about cryptography. Or how a command line gnupg works.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Management - BSI had send private key instead of public key [ In reply to ]
Actually, there is a post in the forum Golem article, how this really happened: t.ly/1n0V

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Management - BSI had send private key instead of public key [ In reply to ]
Am Mittwoch 17 November 2021 00:17:58 schrieb ?????? ???????? via Gnupg-users:
> According to an article on the German site golem.de[1]
> Germany's BSI[2] had sent its private key instead of
> it's public key to a user via email, who requested its
> public key.

>
https://www.golem.de/news/verschluesselung-bsi-verschickt-privaten-pgp-schluessel-2111-161073.html

The article says that is was one private key, password encrypted
for one email address (probably a functional address for a team).
I have no further information on the incident,
and know of no MUA or GUI that makes attaching private key material to an
email easy.

The most likely scenario would be, that there was a private key in a file
somewhere on the system that could be attached to an email manually.
As GnuPG itself uses a directory clearly named like .gnupg/private-keys-v1.d/,
there is a good chance that it was an exported private key named differently.

The BSI says to have 1400 employees, so not all of them will be technical
security experts, they were growing a lot. The BSI increasingly seems to use
OpenPGP/MIME instead of S/MIME and is getting more accessible this way for
encrypted email exchange.

Overall a good case for using more WKD in the client and the server, where the
pubkey would have been transfered automatically with some basic trust and no
need for a manual email attachment.

Best Regards,
Bernhard

--
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
Re: Key Management - BSI had send private key instead of public key [ In reply to ]
On Tue, 16 Nov 2021 23:17:58 +0000
?????? ???????? via Gnupg-users <gnupg-users@gnupg.org> wrote:

> [1]
> https://www.golem.de/news/verschluesselung-bsi-verschickt-privaten-pgp-schluessel-2111-161073.html

Is there an English translation of this article somewhere? I never
learned German beyond what made its way into the English language or
what I might've picked up from episodes of 'Allo 'Allo or Hogan's
Heroes…

If I go to the link, I get a rather large pop-up dialogue which doesn't
look much like an article at all. Throw the thing at Google Translate,
and the JavaScript on the page re-directs me back to the original page
in German.
--
Stuart Longland (aka Redhatter, VK4MSL)

I haven't lost my mind...
...it's backed up on a tape somewhere.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Management - BSI had send private key instead of public key [ In reply to ]
> Is there an English translation of this article somewhere?

No, I don't think so. To the best of my knowledge Golem.de publishes exclusively
in German and I didn't find anything with a search engine.

> If I go to the link, I get a rather large pop-up dialogue which doesn't
> look much like an article at all. Throw the thing at Google Translate,
> and the JavaScript on the page re-directs me back to the original page
> in German.

That was just a mechanism to force users to either consent to extensive tracking
and ads or login with an account that has a paid subscription.

--
Jonas Tobias Hopusch

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Management - BSI had send private key instead of public key [ In reply to ]
Am 17.11.21 um 23:49 schrieb Stuart Longland via Gnupg-users:
> On Tue, 16 Nov 2021 23:17:58 +0000
> ?????? ???????? via Gnupg-users <gnupg-users@gnupg.org> wrote:
>
>> [1]
>> https://www.golem.de/news/verschluesselung-bsi-verschickt-privaten-pgp-schluessel-2111-161073.html
>
> Is there an English translation of this article somewhere? I never
> learned German beyond what made its way into the English language or
> what I might've picked up from episodes of 'Allo 'Allo or Hogan's
> Heroes…
That's kind of a misconception: as English is a western germanic
language it's not that German made its way into English but English is
*based* on German.

You would be amazed how many words are similar or even pronounced
identically - like Haus/house, Maus/mouse, Finger/finger etc. pp. The
similarities between English and the dialect spoken in coastal regions
of northern Germany ("Plattdeutsch") are even more striking.

So you already do speak German - to some extent. In case you don't
believe me or wonder where "Anglo-Saxon" comes from, start here:
https://en.wikipedia.org/wiki/Angles.

A bit OT, I know. But I couldn't resist. Hope you're not offended. ;)

Kind regards!

Rainer

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Management - BSI had send private key instead of public key [ In reply to ]
On Thu, Nov 18, 2021 at 10:48:55AM +0100, Rainer Fiebig via Gnupg-users wrote:
> That's kind of a misconception: as English is a western germanic
> language it's not that German made its way into English but English is
> *based* on German.

To be precise, not on German---it's based on the common ancestor.
both English and German deviate considerably from it.
Re: Key Management - BSI had send private key instead of public key [ In reply to ]
Am 18.11.21 um 13:27 schrieb Ineiev:
> On Thu, Nov 18, 2021 at 10:48:55AM +0100, Rainer Fiebig via Gnupg-users wrote:
>> That's kind of a misconception: as English is a western germanic
>> language it's not that German made its way into English but English is
>> *based* on German.
>
> To be precise, not on German---it's based on the common ancestor.
> both English and German deviate considerably from it.
>
I guess that saves the day for some. I can almost hear the sigh of
relief. ;)

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Management - BSI had send private key instead of public key [ In reply to ]
On Thu, Nov 18, 2021 at 02:15:53PM +0100, Rainer Fiebig via Gnupg-users wrote:
> Am 18.11.21 um 13:27 schrieb Ineiev:
> > On Thu, Nov 18, 2021 at 10:48:55AM +0100, Rainer Fiebig via Gnupg-users wrote:
> >> That's kind of a misconception: as English is a western germanic
> >> language it's not that German made its way into English but English is
> >> *based* on German.
> >
> > To be precise, not on German---it's based on the common ancestor.
> > both English and German deviate considerably from it.
> >
> I guess that saves the day for some. I can almost hear the sigh of
> relief. ;)

:-)

https://en.wikipedia.org/wiki/The_Story_of_English if anyone finds
this interesting.

--
Mark H. Wood
Lead Technology Analyst

University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
Re: Key Management - BSI had send private key instead of public key [ In reply to ]
> Am 17.11.21 um 23:49 schrieb Stuart Longland via Gnupg-users:
> > On Tue, 16 Nov 2021 23:17:58 +0000
> > ?????? ???????? via Gnupg-users <gnupg-users@gnupg.org> wrote:
> >
> >> [1]
> >> https://www.golem.de/news/verschluesselung-bsi-verschickt-privaten-pgp-schluessel-2111-161073.html
> >
> > Is there an English translation of this article somewhere? I never

list of translator sites: http://www.berklix.org/trans/

Cheers,
--
Julian Stacey http://berklix.com/jhs/ http://stolenvotes.uk

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Key Management - BSI had send private key instead of public key [ In reply to ]
I used Edge and it's built in translator function to read it after I got
past the page asking regarding the cookies (which Privazer will remove
anyway)

On 11/17/2021 4:13 PM, Jonas Tobias Hopusch via Gnupg-users wrote:
>> Is there an English translation of this article somewhere?
> No, I don't think so. To the best of my knowledge Golem.de publishes exclusively
> in German and I didn't find anything with a search engine.
>
>> If I go to the link, I get a rather large pop-up dialogue which doesn't
>> look much like an article at all. Throw the thing at Google Translate,
>> and the JavaScript on the page re-directs me back to the original page
>> in German.
> That was just a mechanism to force users to either consent to extensive tracking
> and ads or login with an account that has a paid subscription.
>
--
PGP Key Upon Request


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users