Check OpenPGP Key files for known cryptographic vulnerabilities
Project description
OpenPGP-Key-Analyzer
An Open Source Python CLI, which can parse keyfiles conforming to the OpenPGP standard and analyze them for vulnerability to known cryptographic weaknesses
Supported Formats
The Analyzer supports OpenPGP Key Files in ASCII-armored or Binary Format.
Both RFC 4880 and RFC 9580 are supported.
:warning: If no warning is created for a given key this does not automatically make the key secure against any attack. It only indicates, that no weakness to the already implemented vulnerabilities could be detected!
Installation
The OpenPGP Key Analyzer can be installed via pip (it is encouraged to use a virtual environment):
pip install OpenPGPKeyAnalyzer
Alternatively you can execute the OpenPGPKeyAnalyzerApp.py file in the OpenPGPKeyAnalyzer Directory directly from this repository.
Usage
If installed via pip: Enter the command openpgp-analyze in a shell wherever you installed the application to.
:warning: The first time you use this command a settings.json file will be created in an specified directory, if no settings.json yet exists there. This file will be read and written to by the application and can alter the workflow of evaluations. It therefore poses a potential security risk!
After starting the application, a Python CLI will start. At the moment, the following commands are supportet:
- ? or help: Displays the allowed commands of the cli as well as their docstring
- settings: Display the current settings and possibly alter them
- analyze: Enter an OpenPGP Keyfile and evaluate it for cryptographic vulnerabilities
- analyzedir: Enter the path to a directory and evaluate all OpenPGP Keyfiles in it. Only Keyfiles on the top level of the directory will be evaluated. No recursive check in subdirectories is currently implemented
- sources: Prints the sources for implemented vulnerabilities onto the command line.
Implemented Checks
- Deprecated Key Version: Checks if the version of a given Keyfile is deprecated according to the specified RFC
- Key lengths: Checks wether a given Keyfile has an key length that is considered insecure according to the NIST and BSI specifications. Additionally, users can specify an effective key length against which Keyfiles should be checked
- Deprecated algorithm; Checks, wether a given Keyfile uses an deprecated algorithm
- RSA specific checks:
- Fermat Factoring Algorithm: Checks an RSA key for vulnerability to Fermat's Factoring Algorithm
- Low private exponent: Checks an RSA secret key for low private exponent
- Low public exponent: Checks an RSA key for low public exponent
- ROCA: Checks an RSA key for the ROCA vulnerability
- Elgamal specific checks: No further checks implemented yet
- DSA specific checks: No further checks implemented yet
- ECC specific checks: No further checks implemented yet
Settings
| Setting | Allowed Values | Default Value | Purpose |
|---|---|---|---|
| RFCVersion | RFC4880, RFC9580 | RFC4880 | Specifies the RFC version a key should be checked against. |
| UserSpecifiedKeyLength | Integer values greater than 0 | -1 | Specifies the minimum effective key length a key must possess. |
| FermatFactoringCheckIncluded | Boolean values | True | Specifies whether the RSA key should be checked for vulnerabilities against Fermat's factoring algorithm. |
| FermatFactoringEffectiveLengthToCheck | Integer values greater than 0 | 120 | Specifies the minimum bit-length difference between p and q in RSA keys for Fermat checks with secret keys. |
| LowPrivateExponentCheckIncluded | Boolean values | True | Specifies if a given RSA secret key should be checked for a low private exponent. |
| LowPrivateExponentBound | Estimated Bound, Boneh and Durfee Bound | Estimated Bound | Specifies the bound to check the private exponent d of an RSA secret key against. |
| LowPublicExponentCheckIncluded | Boolean values | True | Specifies if a given RSA key should be checked for a low public exponent. |
| LowPublicExponentBound | Integer values greater than 3 | 65537 | Specifies the lower bound an RSA public exponent should have. |
| ROCACheckIncluded | Boolean values | True | Specifies if a given RSA key should be checked for the ROCA vulnerability. |
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file openpgpkeyanalyzer-0.1.12.tar.gz.
File metadata
- Download URL: openpgpkeyanalyzer-0.1.12.tar.gz
- Upload date:
- Size: 14.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6b06edfbcdccbf70ca45e7759133c78938578d8a262986a33518f57dcb7aaad1
|
|
| MD5 |
0a7c36f6054f5df9ae4fb7ff122a4ccf
|
|
| BLAKE2b-256 |
ec0ae5bdced3ee4aa534808b339312f8acf75d07fa40c3d6f61702ff3e063222
|
File details
Details for the file OpenPGPKeyAnalyzer-0.1.12-py3-none-any.whl.
File metadata
- Download URL: OpenPGPKeyAnalyzer-0.1.12-py3-none-any.whl
- Upload date:
- Size: 21.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
697e50e1bd8025a8c9548958a1638623b09b6f8321cf4ce5603e2e6767fd83de
|
|
| MD5 |
14521862b5cb843782ca60b29b0915e9
|
|
| BLAKE2b-256 |
744d9beb9e4401380928222d3e858c12ec855f3d2b6a19dab998cc7959416f84
|
