CVE-2021-40528: 
NixOS vulnerability analysis and mitigation

The ElGamal implementation in Libgcrypt before version 1.9.4 contains a vulnerability (CVE-2021-40528) that allows plaintext recovery. The vulnerability occurs during the interaction between two cryptographic libraries, where a specific combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP (MITRE CVE, IBM Research).

The vulnerability stems from dangerous combinations of ElGamal parameter choices in OpenPGP implementations. The attack becomes possible when the receiver's public key defines a prime where p-1 contains small factors, the receiver's public key defines a generator that generates the full group of invertible elements, and the sender's library uses short ephemeral exponents. This combination allows for plaintext recovery through a combination of the Pohlig-Hellman algorithm and Baby-step giant-step algorithm (IBM Research).

The vulnerability allows attackers to recover plaintexts from encrypted messages when specific combinations of sender and receiver software are used. The attack particularly affects messages sent by GPG (via Libgcrypt) or Crypto++ to approximately 2,132 registered public PGP keys. The attack complexity varies depending on the sender's software and receiver's public key, ranging from a few hours on commodity hardware to several CPU-years (IBM Research).

The vulnerability was addressed in Libgcrypt version 1.9.4 by modifying the sampling of ephemeral exponents to use large values with as many bits as p. Users are advised to upgrade to this version or later. For affected keys, it is recommended to revoke them and generate new keys using either GPG, Crypto++, or switch to different algorithms such as RSA or ECC (Gentoo Security, IBM Research).