[hurin]

Can anyone confirm this is true?

[ycitm]

Yes:

    817023023960376946633975507110154649249407598806798730414849884461776172171921668594148071323527016137506405823108520062504849249423700259406905313281403901410082762097159560221463048924336192384026777502177262731045200322200149773127502888545234973139480887644585192600631058962876114156934248895171959246969597637127280010272143593885240940877456234662196130491400738438731832514335353824697930453078426722191105157568392826870043655708008545411143367763836566011740499383456592129662585004880376777597714978023542434421914201119537685489173509942329090631662014650033142642110914360849421856179611226450806562235534802516081595259914768497444702718749402330070488028751073730349460752771915484847399385631524708487646079936572410398967582895983187640798072309362094727654167628620105981459021548290415800096769214437425690934372015628796027498219902441288189398386359846661623243493534897411417685435424010451956954083531228374002591372549525280610594684910812811287436481207089763125424247793044043309737269468709710679872269272855389945385386467765509880648929743498214329578288874987193768439353382305260108425688024147656806932474058888992099083804597481699305852902662863062054067183925164590726103552998367994727700722491707 `mod` 231
    0

[schoen]

Wait a minute, I get a different n value by downloading that key and running gpg --list-keys --with-key-data on it.

You have one ending in 131307671292149646652772992033083 and I have one ending in 726103552998367994727700722491707 that is not divisible by 231.

[asciilifeform]

The key as seen by Phuctor had three sub-keys, one of which was an RSA key which turned out to be factorable.

[schoen]

Sorry, I was looking at the other one. But something is still very, very odd. (1) Two of the subkeys agree with one another for hundreds of digits and then disagree. (2) I did gpg --recv-key 51221121 and I got a key back from the keyserver with fingerprint 7EAA C969 3E7D 2205 46BE 576C BDA0 6085 493B ACE4 (only, no other keys) -- which doesn't match the key ID that it should, and is seemingly missing the vulnerable subkey entirely.

[schoen]

Can you post the ASCII-armored key that you have? I am getting a radically different key from the keyservers, and I wonder if there could be some kind of keyserver attack or misbehavior involved here too.

[revelation]

Well, it lists the key and says the first factor is 231. If you have a big enough calculator, this is trivial to verify.

[asciilifeform]

Author of 'phuctor' speaking.

I can only confirm that we have a key, downloaded from an SKS dump, said key purporting to belong to one Mr. Anvin, containing one sub-key being an RSA public key which turned out to be factorable with trivial effort.

Anything else is mere conjecture.

[davout]

You can confirm this independently with the key itself and the published prime.

[hurin]

I too can post a public key I have the private key for and a factor? Or intentionally create a weak key?

[schoen]

Yes you can, we just need to find hpa's n value and see whether it is divisible by 231. If it is, the claim is correct.

I found the n value for my own PGP public key before and I can find hpa's too, I just have to remember the right arguments to gpg.

[cjbprime]

It's: gpg --list-key --with-key-data <id>

[cnvogel]

    $ gpg --export -a $$KEYID$$ >keyfile.asc   
    $ gpg --list-packets --debug=0x02 keyfile.asc

...but I don't know if the pkey[] values are directly usable, or have some substructure.

[davout]

you can trivially verify a key was broken if it was, duh, broken