From 170aaaa0c58a1694f45d01b7bcba936678bdc711 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Mon, 4 Jul 2022 11:05:16 +0200 Subject: [PATCH] Document KO protection utility class --- .../key/util/PublicKeyParameterValidationUtil.java | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java index fbddb080..d3c7fe68 100644 --- a/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java +++ b/pgpainless-core/src/main/java/org/pgpainless/key/util/PublicKeyParameterValidationUtil.java @@ -38,6 +38,15 @@ import org.pgpainless.algorithm.SymmetricKeyAlgorithm; import org.pgpainless.exception.KeyIntegrityException; import org.pgpainless.implementation.ImplementationFactory; +/** + * Utility class to verify keys against Key Overwriting (KO) attacks. + * This class of attacks is only possible if the attacker has access to the (encrypted) secret key material. + * To execute the attack, they would modify the unauthenticated parameters of the users public key. + * Using the modified public key in combination with the unmodified secret key material can then lead to the + * extraction of secret key parameters via weakly crafted messages. + * + * @see Key Overwriting (KO) Attacks against OpenPGP + */ public class PublicKeyParameterValidationUtil { public static void verifyPublicKeyParameterIntegrity(PGPPrivateKey privateKey, PGPPublicKey publicKey)