When receiving emails, I sometimes see the following:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I found an integer overflow in PHP, in the conversation of dates to "Julian Day Count" function.
The commit, with a PoC can be found here: http://ift.tt/15ETN3i ecdc300f8ebcaa1 Use CVE-2015-1353.
CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://ift.tt/1rbSTo3 ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS)
iQEcBAEBAgAGBQJUw/LpAAoJEKllVAevmvmsiYoH/Ag+n/8x+blfJyccUhjt39bp nRxsuZw2MIx7COJcoufIxeycu2YGnm1O9RxZBA9lKmVYjb0wjMi9yHogcWkT8UOo i93ARMw7V6UFp1nV+2Kv5BgVh2EcwEBXyDkKkcaN2l68Dm3nRoApMB4i4m7G67BC K2T1L4eq1orQCNaR7n4hup2155pHZbLqZQRMAYn5EGQPr/+zPjgq+PQKes631US5 SXrnthRKOAfZk9QVIlxf5t1JfVvC3Cta0HgETTaXJ8TbqEAA5AXw8hl+RmhWgFnI Cto73LM+iiA1tyxDXdXnfdRqV/uxmqK+FCgO6asyCuT7EYOpBZ74Wmq1z+RVJRc= =VLR4 -----END PGP SIGNATURE-----
From what I understand a digital signature works in the following way:
1 - The content of the message is hashed to provide a fixed length output of the entire content.
2 - The hash which is generated is then encrypted with the senders private key (PS: I thought public key was used to encrypt things, different context?)
3 - The process above creates a digital signature which is transmitted with the original message
4 - receiver uses the public key to decrypt the ciphertext to return the hash and then hashes the message them-self to see if its the same
The problem I cant understand is the public key part, in the example above from Mitre, there is no public key sent for me to decrypt the signature. So how do I go about verifying this signature? I can see that they have provided a link "PGP key available throught" but this link contains the key ID. What is this key ID and is it what I need to find the public key?
Aucun commentaire:
Enregistrer un commentaire