PGP Vulnerability Discovered

Bruce Schneier, of Counterpane, sent in the word that a vulnerability has been found in PGP. He attached an explanation below of what's going on, as well as a paper concerning the risks of key escrow.

From Bruce:

PGP Vulnerability

A very serious PGP vulnerability was just discovered. Using this vulnerability, an attacker can create a modified version of someone's public key that will force a sender to encrypt messages to that person AND to the attacker.

Let me explain.

When Network Associates joined the Key Recovery Alliance, they modified PGP to allow for third-party key recovery. They did this by supporting something called an Additional Decryption Key (ADK). Normally, when a PGP user creates a PGP certificate, it contains a single public key (as well as identifying information as to who the key belongs to). PGP version 5 and 6 allow the user to add additional ADKs to the certificate. When a sender encrypts a message to that user, PGP will automatically encrypt the message in both the user's public key and the ADK. The idea is that the ADK belongs to the secret police, or the user's employer, or some organization, and that organization can intercept the encrypted message and read it.

A stupid idea, but that's the sort of thing that Key Escrow demands.

The flaw is that some version of PGP don't require the ADKs to be in the signed portion of the PGP certificate. What this means is that an organization can take a PGP certificate, append his ADK, and spread it out to the world. This tampered version of the certificate will remain unnoticed by anyone who doesn't manually examine the bytes, and anyone using that tampered version will automatically and invisibly encrypt all messages to the organization as well as the certificate owner.

Unfortunately, the problem won't go away until all vulnerable versions of PGP are eradicated: the sender who is responsible for encrypting to the ADKs, not the recipient.

Way back in 1998 a bunch of us cryptographers predicted that adding Key Escrow would make system design harder, and would result in even more security problems. This is an example of that prediction coming true.

Re:Am i missing the point of PGP

The corporate ADK concept is something like this..

We use encryption to ensure that our IP is secure, not so that your private email is secure. We own the IP, therefore we have every right to be able to decrypt any message that our employee sends using company equipment, in this case, computer, bandwidth, encryption key.

I agree with that.. thats why I have a personal key, generated at home, that I use for 'other' communication... granted, its probably shot to hell now, BUT...

Re:Lawsuit

I was about to moderate you up, but then I felt I had to reply instead.

The fact is that this is too close to reality to be a troll, and too funny to be real.

By the way, once Judge Kaplan tells us Bruce is illegal we will all be forbidden from speaking to him.

Re:Lawsuit

Why is this marked funny? This isn't funny!

Re:This was rumored for awhile

The only way that this vulnerability could be used in this fashion was if the NSA broke into *all* of the central key repositories, appended ADK's to the public keys of the people they wanted to monitor, and hope that noone noticed the difference.

My questions is this: Does the ADK change the fingerprint on the key? If it does, then any responsible user of cryptography would know if their key was tampered with. Isn't that the whole point of the fingerprint being there..?

As a side note, I think the NSA doesn't slam the use of PGP because all they have to do is watch the people using PGP closer. This has always been a potential downside to crypto.. If it's use is made difficult or put on shaky legal ground, then the average citizen will be afraid to use it and only the people the NSA wants to keep an eye on will keep using it. Even if they can't read it, they can build surveilence webs by tracking who sends encrypted email to who.

"Proper" OS means one with /dev/random

Hey dummy, he's right!!! Check your facts... GPG should only be used on systems that have /dev/random or some other entropy gathering device. That is, until the WIP entropy gatherer is completed that should work everywhere that doesn't have one built into the OS.

Re:"Proper" OS means one with /dev/random

[ssimpson]

Phew, someone else can RTFM ;)

Re:Open Source at it's best

You're confused. The ethos of open source is "too many cooks spoil the broth", not "many eyes make light work".

Re:Not new or secret

[Nick+Ives]

Ahh, but here in the UK we have the lovely Regulation of Investagory Powers bill coming into force, which will make you a criminal just for refusing to supply passwords to encrypted documents. Noone has to proove you actually did anything wrong either, they just have to have to suspect you of a crime, get your computer, find some encrypted files they "believe" may be involved in said crime and force you to supply passwords.

How ironic that this bill was rushed through the commons to make time for the ratification of the European Convention on Human Rights. That bill acts retroactivly on all other legislation though, so with any luck the RIP will be thrown out just as quickly as it was enacted. Heres hoping eh?

Nick

Re:GPG may not support this, but...

[The+Man]

GPG may not support this; however, what if a key created with GPG had this ADK appended to it and a PGP client was used to interpret and use the key?? Is there any chance in the world of general key misuse due to the fact that PGP is a rather popular client??

Yes of course. So 1) Don't use PGP5/6, 2) Don't accept anything from anyone who uses PGP5/6, and 3) Make certain all keys come from known sources.

Of course, since the vulnerable versions of PGP are the Microsoft ones, this shouldn't really be a problem. After all, nobody who uses Microsoft products is really worth communicating with anyway, securely or not.

Re:Bald-Faced Alarmism

[Suydam]

This post was not about whether or not Key Escrow was good from the standpoint of privacy and/or morality. Rather, it's about a vulnerability in Key Escrow's current implementation. So frankly, I'm glad it's posted here.

Yes, you're missing something obvious

[bkosse]

The fact that an ADK requires you actively add it when you generate a key. In a corporation, it's possible (if I remember right) to force all keys to have an ADK, and you're not likely to be using that feature at home. That, and this is a sincere case of it being a bug which was rectified within 19 hours of being reported.

--
Ben Kosse

Re:Open Source at it's best

[sheldon]

Too many cooks spoil the broth, but at least no one person is to blame.

:-)

GPG may not support this, but...

[CmdrChalupa]

GPG may not support this; however, what if a key created with GPG had this ADK appended to it and a PGP client was used to interpret and use the key?? Is there any chance in the world of general key misuse due to the fact that PGP is a rather popular client?? I'm no expert on key exchange, but this, to me, seems to be the case. Would someone care to correct me?? ( I truly hope I am corrected ) CmdrChalupa (Who cannot for the life of him remember how to change his sig)

Re:Why key escrow?

[PiMan]

I use a 2048 bit key; I know plenty of people that use a 4096 bit key. Look at how long it's taking distributed.net to crack 64 bit encryption. I doubt the government as a whole has as much power as d.net.

Oh yeah, and remember that each 1 bit increase makes decryption twice as hard. So take how long it's taken distributed.net to crack 64 bits (when it actually does), multiply that by 2^1984 (interesting number, there), and you get how long it would take to crack my key.

2^1984 is 17519084095371315372205096453516875976903041108531 115729944499768459 56819751541616602568796259317428464425605223064365 804210081422215355 42514943139063515195524795515663623474122144743573 364326280866892990 20917700924929117377683771354265903631662956843704 986047082885560446 87341394398676292971255828404734517580702346564613 427770683056761383 95539756433869062809321146584824404919635370302264 040020573909311827 08037783527682766702026983972145566292044203099655 470568932336087583 87329699097930255380715679250799950923553703740673 620901978370802540 21887027931481072279053989933427151436544436927568 2816

Another Possible Exploit?

[freddie]

If I understand this story correctly, the commercial version PGP supports key escrow, and it does so by encrypting the message with a normal public key, as well as practically copying it with this ADK.

Now wouldn't it be possible to re-implement this standard with, say gpg? Except that instead of encrypting twice the same message, we encrypt two different messages. Now when the FBI/CIA/NSA/KGB/BND/MI5 comes to snoop, they think that they're seeing everything but they're not.

They asked for key escrow, but we can use it against them.

The start of a method for finding compromised keys

[named]

The command

gpg --export --armor | gpg --list-packets | less

is the start of a method for finding out whether you have any compromised keys in your posession.

ideally, the 'less' command would be replaced with either a 'grep' command for some sort of script. Unfortunately, I don't know (nor do I have the time to figure out) how to create a compromised key. Having a compromised key would let me figure out what to grep for...

if anyone else knows what the regex supplied to grep should be, please share!

Yeah, but...

[crisco]

... since GnuPG suupports the version 4 keys that are vulnerable, it supports the continued use of software that is vulnerable. I got the strong impression from the conclusion of the article that PGP Classic (2.6.x) was the only reccomended solution to use.

I know I'm going to get that baby back on my machines ASAP. Of course, I've got a feeling lots of things are going to change in another month with the patent expiration on RSA and with this discovery. But until there is a clear solution, PGP Classic works as good as ever for me.

Oh, and for you command line whimps, there are assorted PGP shells that make the entire process of key management and message signing and encryption as pointy and clicky as the current PGP for windows.

Re:Yeah, but...

[synx]

You may or may not know this, but GPG doesnt honour the ADK, so infact GPG wont generate "vulnerable" messages.

Re:Wait, Wait!

[hobbit]

Good grief! I'm glad I don't employ Signal 11 as a coder!

/* If we get a warning, shut down the reactor */
if (message != WARNING) shut_down_reactor();

Re:Real reason we wanted key escrow

[hobbit]

That long? You must have very old hardware. Our quantum computer can factor a googleplex-digit number in under 10 picoseconds.

Hamish

PGP is not Open Source

[TonyGreene]

PGP's source is published, but the restrictions on changes and redistribution mean it does not meet the definition of Open Source promulgated by the Open Source Initiative.

Re:This is no surprise

[kcbrown]

2) "They deliberately changed the command line interface to break every PGP-interoperable tool out there." No. *I* deliberately changed the command line interface (with much deliberation) for two reasons: Once Unix development started, we were on a very tight schedule, as the Windows and Mac versions had already been released (see below). The primary goal was to make it possible for Unix to decrypt the new key formats as quickly as possible. There was not time, under the schedule, to reimplement the 2.x command line item-for-item.

...and...

3) "They released the Windows version months before the UNIX version." True enough. We were a startup, in those days, and, if you look at Wired Magazine from the same time period, youll find we did significant layoffs at the company around that time. As 5.0 was rolling out, PGP, Inc. was realizing that it didn't really have enough funding to keep going as an independent entity. As a result, we didn't have any resources to devote to Unix.

When are people going to learn that tight schedules and solid, reliable, secure code are mutually exclusive? For most things what you did would have been excusable, but PGP's very mission makes it an exception to that. So as soon as you knew that you were on a tight schedule you should have concentrated releasing the source code of PGP 5.0 to the world so that others who did have the time to do things properly could have.

Instead, PGP 5.0 became yet another example of what happens when you try to code under a tight deadline. How many more such examples do we need before people START GETTING IT??? It's little surprise that most of the things we tend to use today are buggy pieces of crap: they were all designed and implemented with time to market as the primary goal.

Personally, I'm perfectly willing to wait a bit for something to be designed and implemented properly. But I seem to be very much an exception to the rule...


--

Moderate this up !!

[AftanGustur]

Moderate this up !!
--
Why pay for drugs when you can get Linux for free ?

Re:You can point them or they can be pointed at yo

[Anonymous+Coed]

They [nuclear weapons] both work exceedingly well to prevent problems.

Umm, problems like uranium processing by-products stored improperly and seeping into groundwater? (Ever hear of Superfund?) Problems like a few 'arrows' getting stolen by god knows who from a poorly guarded central asian military base? Problems like warheads laying on the bottom of the sea, seeping out poisonous death? (Thanks, Kursk!) (Not that poisonous death doesn't come from many other sources.)

I'm curious, what 'problems' do nuclear weapons solve except the problem of wiping out all of humanity? (Which I am for, by the way. And the obvious retort to that is "why don't you start with yourself", to which I reply: "I wanted to wait around to check that you got included.")

Fix is out

[Miskatonic]

Tell your Windows friends that the MIT non-free freeware Win32 version has already been updated to fix this.

http://web.mit.edu/network/pgp.html

Tell your Linux friends that they should be using GPG anyway.

Re:Close, but wrong on a couple of key points

[benedict]

Is the existence or non-existence of the ADK protected by the cryptographic hash? In other words, if you create your certificate with a non-vulnerable PGP program, no ADK can be added? That's implied by your post, but I want to be sure I understand correctly.

--

Re:Close, but wrong on a couple of key points

[benedict]

So the original certificate has to contain a (possibly empty) ADK packet for the exploit to work? And thus it has to have been generated by a version of PGP that supports ADKs and that buggily[0] includes the ADK packet in the unsigned portion of the certificate?

Sorry for posting misinformation on those *cough* key points.

[0] I say it's a word, so there.

--

Re:This was rumored for awhile

[TZA14a]

A friend of a friend, who claims to be ex NSA, when asked about PGP, after a few beers, smiled, laughed and said something about the session keys not being as random as people might imagine.

Yeah. If your friend is ex-NSA they probably fired him for lack of cluons.

What sessions?
--
"The use of COBOL cripples the mind.
Its teaching, therefore, should be

Re:So what's the answer

[DavidTC]

Idea: A company could set up an internal auto-ADK-adding keyserver for its employees to use, and of course they have access to the outgoing mail spool.

Of course, an actual ethical company would just give its public keys to their employees, and have them add the ADK themselves. Actually, this bug gives them a neat way of doing it automatically, assuming there is a key server. They still should inform the employees, though.

-David T. C.

Re:Not a problem with PGP

[DavidTC]

You're right except that the 'message' isn't encoded twice, it's encoded once with a random key, using non-public key algorythms, which is then encoded with your key and the ADK.

And, pre-encoding your message completely defeats the public-private key scheme. If you're going to do that, just tell PGP to encode to a password, which, at least, I know 2.6.2 can do.

-David T. C.

Re:So what's the answer

[CodeMonky]

There are better ways to do this. If it is something that important no single person should have control over it. You use secret sharing and have it so that for instance 2 of 3 keys are needed in order to decrypt the message.

Why use 2.6.2

[slashpot]

Its been a long time, but for some reason the idea that if you need to use PGP only use version 2.6.2 is firmly stuck in my head playing over and over like a broke record. If you "need" to use encryption to communicate with someone (or protect some data...), only 2.6.2 and if they can't or won't use it then you shouldn't communicate with them (or bother keeping the data).

2.6.2... yep, that is definitely engrained in my brain, can anybody help me to remember or figure out why?

Re:Why use 2.6.2

[kevinmaly]

That is because PGP 2.6.2 is easy to check the source code and doesn't have ADK's. It does have the encryption to self option, but that still only allows the receipent and the sender to view the message. With ADK any Tom, Dick or Harry at the Company can read every message without the knowledge of the sender or receiver.

Re:Rebel without a clue

[Omnifarious]

It's not PGP that has to have the alternate commercial use, it's the technique of adding ADKs to an existing key unbeknownst to the original issuer of the key or anybody recieving the key.

The claim he's making is actually reasonable from the perspective of the DMCA as I understand it. That technique really has no viable commercial use. It can only be used to do underhanded things. Breaking encryption on something for the purpose of violating the copyright is one of those things.

Re:gpg

[rhavyn]

You might want to read some more. Windows does not have a good random number generator. GPG doesn't come with a good RNG. Until it does, keys generated under windows (or any other os without a good RNG such as /dev/random) are insecure.

GPG?

[ldspartan]

Although I don't use it very often personally, does anyone have any information as to if/how this vulnerability applies to GPG? -- Phil

Re:GPG?

[crow]

I assume GPG doesn't support key escrow. If I'm right on that, then it doesn't have the problem.

Re:GPG?

[lizrd]

Nobody supports key escrow. Key escrow and ADK are completely different concepts. In the case of key escrow a copy of any key generated must be turned over to the authority. This is bad because then signing and decryption with that key can be done w/o your consent. In the case of a properly done ADK it is impossible for another party to make a signature using your key but it is possible for the party named when the key was generated to decrypt messages to you.

This is why PGP chose to implement ADK. When ADK is avaliable there aren't the risks associated with key escrow and users are less likely to do something as foolish as generating pgp keys and giving a copy of their private key to someone else for safekeeping. The flaw in this case is that due to a poor design the ADK can be inserted after key generation w/o the key owner's knowledge.
________________
They're - They are
Their - Belonging to them

Re:GPG?

[SgtPepper]

It shouldn't, at all.

GPG is based on the OpenPGP standard ( RFC 2440 ) which doesn't, AFAIK, include "Key Escrow" or "ADK". PGP seemes to have "added" this feature, perhaps this is what the mean by "multiple recipents" in the E-business product.

Of course I could be wrong, but that's the way it looks to me :)

Re:GPG?

[Greyfox]

It looks like GPG can also be used to check a message to see if it's been encrypted to additional keys, although the method to do so is fairly complex. Perhaps the GPG guys should move this functionality up a bit and print a warning if you're decrypting a message that was encrypted to additional keys.

Re:GPG?

[-brazil-]

The answer seems to be this: If you use GPG for *encryption*, then it's not vulnerable. But if you use if for *decryption*, then it is, since the person who encrypted the mail could have used normal PGP with the vulnerability.

Re:GPG?

[ssimpson]

This doesn't apply at all to GnuPG - it doesn't recognise the ADK packet (and it shouldn't - RFC2440 specifies that this packet is simply "placeholder for backward compatibility".

Re:Don't forget...

[zuffy]

...about that funny little graphic in the upper left-hand corner. You know, the one which says "SLASHDOT: News for Nerds. Stuff that matters."

Now, I'm going to point out that "NERDS" part and then we can start talking about what kind of humour is appreciated by the readers of this site. I thought that comment was funny, I guess you just have to go into nerd training for a while and do some background research or something like that.

Re:This was rumored for awhile

[adolf]

I'm somewhat fuzzy with the the notion of true random numbers, so this may be wildly inaccurate.

That said, it occurs to me that the largest problem with finding a random number of a given size is finding a source of randomness to extrapolate from.

Why spend $100 (or hours/days of design and construction) on a device that generates chaos, when almost everyone reading this already has the required hardware: a sound card.

Simply play some music/radio broadcast/radio noise into your sound card's input, and sample it. Give the resultant bitstram a few twists (based on other, random samplings), and the end result should be genuinely random numbers of arbitrary size, for zero cost.

If there's holes in this idea, I'd be interested to know about them. Failing that, I dare someone to code it.

[And before anyone says "Music is not random," I challenge them first to find anything of harmonic or even sinusoidal nature in Ministry's album, Filth Pig.]

Advisory at PGP.com + Zimmerman's comments

[Frogg]

PGP.com had posted a security advisory on this matter, available here http://www.pgp.com/other/advisories/adk .asp.

Zimmerman states that fixes to PGP 6.5.x will be available today, and that keyservers have been/are being modified to filter bogus ADK packets from public keys.

HTH,

fRoGG

Re:So just use "authorized" keys.

[synx]

Directly yes, as in my friend gave me a disk or sshed to my machine, etc, but any key on a keyserver could vulerable.

What we need is a tool which will read a key and tell you if it has a ADK.

Re:Not new or secret

[bolverk]

Blockquoth Mr. T:

As it stands, if I was told by a court to decrypt my email and there wasn't an ADK capability, I would go to jail for contempt until I did, so when it comes down to it, if some one wants to forcably read your email and a court agrees you're going to lose that battle either by decrypting it or by going to jail and testing your will.

INAL, but in the US at least, one cannot be forced to testify against themselves. That's what this seems like to me. Even if they could prove you had the keys with which to decrypt what they want to see, the courts couldn't force you to use them any more than they could force you to "tell them where you hid the $10M".

Re:Not new or secret

[bolverk]

You can't be held in contempt of court for exercising your constitutional rights. Forget it. You can't be punished in any way for exercising your constitutional rights.

(Unless of course you threaten the MPAA's profits, but that's another story).

Is this necessary?

[Opinionated+Newbie]

Why did anyone do this in the first place? Has key escrow become law without my realizing it?

To me, the point of key escrow is simple: I'm allowed to have secrets from little Timmy, but not from Mummy and Daddy.

Even when I was a kid, I didn't like being treated like one.

Re:Wait, Wait!

[Another+MacHack]

Unless you correspond with someone who uses PGP. Then it's time to panic again.

Re:This is worrying, but:

[segmond]

Yes, but you don't just worry about the software you use, you also worry about the people you communicate, if someone is using the "trojaned" version and sends you an encrypted document, it is good as plaintext since someone could have intercepted the secret message as well. All versions of this software need to be secure and trusted. Not just the version you use.

Re:So just use "authorized" keys.

[David+Roundy]

If you mean by "authentic" source, that your trusted friend emails you his key, this is not safe. Email is alterable. An adversary can insert an ADK into the mailed key, that will not be visible to you without specific scrutiny with a hex editor or special GPG incantations.

Presumably if you are bothering to use PGP your friend would either encrypt the key when he emails it to you, or would sign it (preferably both). Either way it should be fine, as long as you don't rely on the self-signature of the key itself.

Re:Implications for digital signatures?

[keete]

I would expect that, since your original, private key contains no references to the additional recipient, the signature created by it would be verifiable only by the corresponding public key.

In this case, the corresponding public key is the original "key material", or payload, in a public key of yours whether or not that key has been tampered with.

Let's say the recipient of the message tries to verify it using a copy of your public key, which has had an ADK inserted by J. R. Hacker.
The message should verify OK as being "from you".

However, if the recipient (aware of the identity of JRH) tries to verify it using a copy of JRH's public key, it will not verify. JRH's public key and your private key have no relationship whatever.

...Now, if JRH adds a reference to your public key, as an ADK, to JRH's public key, I would be unsurprised if the signature "verified" when tested against the altered JRH public key.
However, were JRH to do this to his own key, it would have the interesting side effect of allowing you to read any of the messages encrypted to JRH using this altered key... not something your savvy hacker should do ;)

All of the above is speculation only, I haven't tested it against a working PGP, or checked source code... not that an experiment would be hard to devise. Like Ralf, you would need a text editor...


keete
-

At least its not a false name

[redhotchil]

"Pretty Good Privacy"

Re:why?

[Sponge]

Spoken like a true anonymous coward. ;)

Re:Different keys for different messages

[BlaisePascal]

I beleive there are ways of doing this, but not with PGP/GPG. It's trivial with a one-time-pad.

Re:Lawsuit

[wolf-]

Even worse yet...
We must name NAI as co-defendants in this case also. It is an intentional function of their software to allow ADKs to be used for this purpose.

Re:DeCSS sucks and so do you!

[wolf-]

um, loud mouthed dude...
Our OEM copies arrived yesterday, and I'v had a version out of MSDN for a while now.
Before you run off at the mouth...think...

This guy isn't trying hard enough

[marlowe23]

If the author really applied himself, I'm sure he could find a way to blame Windows for this. Preferably Bill Gates personally.

Re:So what's the answer

[jovlinger]

even from earlier keys?

If later versions automagically convert older format (like the 2.6.2i I think I have) keys to new formats that would could be conceivable. However, automagically doing anything seems contrary to the whole security ethic, no?

Re:This isn't a real problem

[GavK]

THe problem is that some malfeasant party could send you an email pretending to be someone else and say "oops, I lost my private key. Here's the new public key." And you go on sending them stuff, none the wiser to the ADK.

Yep, but that's got a name. It's called being a moron. The price for being a moron has always been harm. Check your sources, always.

If they encrypt using a key that you don't have you should ignore it. If a key you get securely has an ADK in it, don't trust it...

Re:This isn't a real problem

[GavK]

The veracity of my data is verified roughly once a fortnight or so. Shortly before I do my backup.

To mess with my data you would have to have access to my server. I keep my machine pretty up to date, and even have a little firewall.

Yes I know my web admins phone number, it's mine. (My web pages run on my home machine...)

Like I said. Trust no one...

Re:This isn't a real problem

[GavK]

Yeah, but what about the other moron that intercepts your mail with your public key, and modifies it as per the vulnerability??

How do they decrypt it without the person I'm mailings Public key?

The people I mail my key to also check the key carefully when they receive it. That's their responsibility in the whole key exchange deal.

If you're going to use cryptography you have to be paranoid about these things. It's kinda like security issues anywhere...

Re:This isn't a real problem

[GavK]

That, of course, should have said ...mailings Private key

Re:This was rumored for awhile

[ragnar!]

From PGP 2.62, PGPDOC1.TXT

Because the public key encryption algorithm is much slower than conventional single-key encryption, encryption is better accomplished by using a high-quality fast conventional single-key encryption algorithm to encipher the message. This original unenciphered message is called "plaintext". In a process invisible to the user, a temporary random key, created just for this one "session", is used to conventionally encipher the plaintext file. Then the recipient's public key is used to encipher this temporary random conventional key. This public-key-enciphered conventional "session" key is sent along with the enciphered text (called "ciphertext") to the recipient. The recipient uses her own secret key to recover this temporary session key, and then uses that key to run the fast conventional single-key algorithm to decipher the large ciphertext message.

Don't you just hate being publicly humiliated?

Re:This was rumored for awhile

[ragnar!]

Normally, I'd unsult you with "read the fucking story before commenting", but it was a pretty long and pretty technical article.

The problem is, that the implementation of the additional key in the new format for storing keys (which is to say the physical layout of the key or 'certificate' file), isn't in a signed portion. That's the whole problem. You can change it (inserting your own key) and it doesn't change the fingerprint.

The thing I can't decide is whethere it was pure incompetence in the design of the new certificate layout, or if it was an intentional for this very purpose. I think NAI had better come up with some pretty satisfying explanations or no right-minded person will ever trust their 'security products' again.

Makes me glad I still have my old 2.62 code and keyrings laying around... now.. to get the revocations of all my newer keys pushed out to the key servers....

----------------------------------------------

The war on drugs may be over soon.

On my first day in office I will pardon everyone who has been convicted of a non-violent federal drug offense - Harry Browne - Libertarian presidential candidate

Re:why not

[ragnar!]

Or better yet, try this

----------------------------------------------

The war on drugs may be over soon.

On my first day in office I will pardon everyone who has been convicted of a non-violent federal drug offense - Harry Browne - Libertarian presidential candidate

Re:This was rumored for awhile

[ragnar!]

actually, the reason a market for these random generating dongles exist, is that it' pretty difficult to get a very random signal from any normal PC hardware. I believe most of these devices use a zener diode, pushed just over it's breakdown voltage to produce somethink akin to interstation FM hiss. Maybe a white noise generator from the FM synth section of a soundcard... anybody feel like doing some randomness comparisons?

Re:Miscellaneous Thoughts

[goldmeer]

So you're saying if I send you random garbage or stuff encrypted to a key you don't have for some reason, the burden of proof is on you?

Just how long do you think random, encrypted mail that I don't have a key to would stay on my computer? I'm not going to be spending one spare cpu cycle trying to figure out what the heck this file is supposed to be. Especially if I'm not expecting communication from you.

Document Retention Policy. Learn it. Live it.

And if by some chance the files were on my computer when a subponea was served, I could show that none of my private keys (that match up with my public keys) will decrypt the mystery messages from you. It would be likely that your comuter would be subponead to examine your keyring to see what public key you used to encrypt the message. Nasty scenario. It would be a real pain in the arse, but it is surviveable.

Re:Not new or secret

[goldmeer]

IANAL...
Documents are subject to court subponea. If you choose to not comply with a subponea, you can be held in contempt of court.
The defination of document not only includes ard copy printouts and handwritten papers, but also includes files on a computer hard drive, even e-mail.
The court can order you to unlock your safe to hand over any paper documents that are kept inside, just as they can order you to decrypt your electronic documents and mail.
While encryption is a good safeguard against prying eyes, the truly paranoid encrypt their documents, and then implement a sensible document retention program. If the document no longer exists, it cannot be subponead.
How long do you really need to keep that mail message anyway? (My wife's answer to that would be measured in years)

Re:Open Source at it's best

[Ded+Bob]

PGP is not open source.

It might not fit the bill according to the Open Source web site, but the source is (was) available for all to read.

Re:Correction... Correction...

[lizrd]

Someone claiming to be (but we can't be 100% sure) Will Price, Director of Engineering, PGP Security, Inc. ... ;-)

This problem does not have any impact upon the signing of messages. We do still know that messages signed by the key used by the person given the locical label Will Price, Director of Engineering, PGP Security, Inc. Division of Network Associates, Inc. Were in fact signed by that key and no other. (or at least as much as we have ever been able to be SURE)
________________
They're - They are
Their - Belonging to them

Re:It's a matter of trust

[lizrd]

Thank you I'm glad that someone here is getting this right. It's pretty clearly outlined in the manuals that the BEST way to get a key is to have your correcpondant put the key file on a disk sign the file and hand the disk to you. You then open the key file and confirm the fingerprint with your correspondant. The whole process is safe from this (or any) attack.
________________
They're - They are
Their - Belonging to them

Re:gpg

[Yokaze]

How does the lack of patented algorithms make it superiour to PGP (technically not morally)?

Re:gpg

[Eponymous,+Showered]

GPG shouldn't be used on WIN32 for example because there is no suitable source of crypto strength randomness.

What about the Windows 2000 running on a PIII. My understanding is that there is a legitimate RNG built into the PIII (or maybe it's one of the intel chipsets) I would think that this would allow GPG to be sufficiently strong on Win32 if it used the right API call for this (or can access the RNG directly)

For that matter, what make "any version of UNIX" suitably strong? Would that not depend on how /dev/random is implemented? There are a lot of flavors of unix out there. I'd be hard pressed to trust my key generation to Minix on an 8088, for example.

Your Assumptions Are Incorrect

[kspett]

The protocols that pgp uses, as well as the source code, are publicly distributed information. That will be all. get some sleep, buddy.


Kspett

Re:Answers about GnuPG

[pete-classic]

I really hate having to reply to my own post.

I missed the part "As it is gnuPG doesn't honor ADK requests"

Nevermind . . .

-Peter

Re:Answers about GnuPG

[pete-classic]

You misunderstand.

I must rely on the key of the person I am sending to to protect the message I send, for instance, IN TRANSIT!

Of course I can't stop the contents of the message from being under your control if I send it to you!!!

-Peter

Re:NO!

[oldmacdonald]

I think GNUPGP users should worry too. With the caveat that I haven't looked at GNUPGP in detail, the way it sounds like this exploit works is that someone takes your PUBLIC key and adds on the ADK and then sends it around as if it were your correct public key. Anyone sending mail to you using a non-gnu-pgp will be sending vulnerable mail. So just because you have gnupgp doesn't make you safe.

Re:Lawsuit

[rotor]

Oh yeah, that would be really great. Lend more fodder to the precedent AGAINST DeCSS, and then donate the procedes to DEFEND DeCSS. The process would do a hell of a lot more for the MPAA than for the EFF.

Re:who the hell thinks this is funny?

[rotor]

What's wrong with Henny Youngman jokes?

You want geek laughs and Henny Youngman?
"... Take Windows 2000... Please!"

Re:Why key escrow?

[Nonesuch]

What would they do if I had a hardened concrete and steel bunker instead of a house? What if that started proliferating and became the defacto standard. Do you think law enforcement agencies would stand for that? Would they make you build weaker buildings or give them a key?

Many cities and states already have a criminal act known as "illegal fortification". For example, Washington State Code.

So yes, they would.

Re:So what's the answer

[Cable]

Are we talking from a keyserver here? Or can someone snag your public key, like say from Slashdot's profile on you, and then add their key to it?

Re:who the hell thinks this is funny?

[Nezumi-chan]

oh, but then again, these are the same people who think user friendly is funny.

Not me. I realize the truth.

User Friendly is a documentary.

Charleton Heston, maybe?

[Nezumi-chan]

User Friendly is pixels! Pixels!!!

Re:Look at the name [what about it?]

[jmd!]

Uhhh, no... distrubuted.net has not cracked a RSA key, ever. They've cracked DES keys, in contests sponsored by RSA Labs. Get your facts straight before spreading them on slashdot and having idiot moderators mod you up.

Re:Bald-Faced Alarmism

[-brazil-]

You're wrong. There *was* a new flaw discovered in the key escrow mechanism of PGP that made it vulnerable to *anyone*, not just those with a "legitimate" third party key. Read the post.

Correction...

[Andy_R]

Someone claiming to be (but we can't be 100% sure) Will Price, Director of Engineering, PGP Security, Inc. ... ;-)

Re:Implications for digital signatures?

[scruffyMark]

OK, I don't know much crypto, but I know youve got it bass ackward there.

The way it works is: Bob encrypts a message to Jill using Jill's public key. Jill decrypts it with her private key.

The other way around would be useless - if it can be decrypted with the public half of the key pair, Bob might as well send it in plaintext, and save the spies the two minutes it will take them to decrypt it

As for the implications here, read the postings that are rated 4 & 5.

Re:You CAN fix this on the client...

[scruffyMark]

problem is, lots of email clients by default add stuff like:

original message from [someone] on [some date]
---------------------------------
[blah blah blah]

So if you send someone an encrypted email, and they answer it, helpfully adding a reminder to you of what your original question was, your original message is as good as plaintext.

"Warn when encrypting keys to an ADK"

[gfecyk]

I recall seeing this switch - enabled by default - on every version of PGP for Windows I've seen, starting with 5.0.

If you use someone's public key that has been tampered with in this manner, wouldn't it be really easy to notice?

Re:Lawsuit

[systemapex]

Your comment is so funny because it is so true. I say a class action suit is in order. Proceeds go towards funding the DeCSS defense!

Re:Secrecy: we need privacy and protection from TH

[spiro_killglance]

I guess you'll be dead happy when we know your bank details and pin number then.

Re:This was rumored for awhile

[TheLaser]

Might you be able to edit any ADK'ed keys and cut the ADK out? Since it is outside the signed area, this shouldn't prevent the normal decryption of the message, but would prevent the ADK owner from reading it.

Re:gpg

[bXTr]

From www.gnupg.org:
"Because it does not use IDEA or RSA it can be used without any restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application."
'Nuff said there Again from www.gnupg.org:
GnuPG compiles and runs on many more systems, but due to the lack of a well tested entropy source, it should be used with some caution. We have positive reports on these systems:
AIX v4.3,
BSDI v4.0.1 with i386,
HPUX v9.x, v10.x and v11.0 with HPPA CPU,
IRIX v6.3 with MIPS R10000 CPU,
MP-RAS v3.02,
OSF1 V4.0 with Alpha CPU,
OS/2 version 2.
SCO UnixWare/7.1.0.
SunOS, Solaris on Sparc and x86,
USL Unixware v1.1.2,
Windows 95 and WNT with x86 CPUs."
Yep, Windows is in there, but so are a lot of "proper" operating systems. 8) "Why don't you check your facts before posting to this site? Oh, I forgot, this is /. Never mind."
To my previous comment, I can only add this: 8)
This was not meant to get anyone's blood pressure up. Just to point out a few things that I felt your original post misrepresented. It also was meant as a pun on the perceived quality and factual accuracy of discussions here on /. In other words, nothing personal, dude. And, yes I've used and installed both PGP and GPG. I prefer GPG for the same reason I use any GNU software; it's free, in both speech and beer 8). BTW, nice FAQ on GPG/PGP.

Re:ADK? Disturbing.

[pallex]

Its your public key. So attackers can snoop on mail addressed TO you, not from you.

Re:Bald-Faced Alarmism

[lurker786]

No, this is not an old issue. The point is *not* that your employer/the CIA/X can read your email (scary though it may be).

The point is that JoeHacker(anyone) can modify your public key so that *he* can read your mail. Big diff.

Re:This was rumored for awhile

[pointym5]

Why was that moderated up to "informative"?!?

Re:Look at the name [what about it?]

[gwalla]

They were sponsored by RSA, but they were DES keys. Not RSA.

---
Zardoz has spoken!

why not

[ArchieBunker]

Just rot-13 it? They will spend months trying to figure out what forms of encryption you used.

Wired Coverage

[icqqm]

Wired covers the story here. Misconceptions about the vulnerability abound.

hogwash

[aozilla]

Unfortunately, the problem won't go away until all vulnerable versions of PGP are eradicated: the sender who is responsible for encrypting to the ADKs, not the recipient.

So? It is also the sender who is responsible for not sending the unencrypted document to anyone else, either intentionally or unintentionally. When you receive an encrypted document, you have no guarantees whatsoever that you are the only person who has access to the unencrypted document. You never have, you never will.

Re:Explanation of the problem

[aozilla]

The reason that this vulnerability in PGP is serious is that you can't fix it by updating your copy: you have to ensure that everybody who might send you encrypted messages has a copy of PGP without the ADK bug. This is difficult, especially when you don't know who your correspondants are going to be ahead of time.

-----BEGIN PGP MESSAGE-----
Version: 2.6.2

Can't you just look at the header information, to see what version it was encrypted with?

I Wonder if the MPAA cares

[IMZombie]

It's pretty much the same thing as DeCSS. I guess since they don't use PGP on DVD movies they don't care.

Re:gpg

[ssimpson]

The problem is: Linux, BSD, Solaris, Be (IIRC) etc all have a /dev/random and /dev/urandom....NT doesn't export the same cryptographic strength RNG in the same way.

I agree - you are dependant on the strength of the Unix /dev/random - but most of the modern distributions seems to have been tried and tested.

Besides, who'd want to run an RNG you haven't seen the source of?!?!?

Re:gpg

[ssimpson]

GPG doesn't suffer from this problem. It is stable, useable and uses the same ciphers (and more...) that NAI/PGP uses.

The only problem with GPG is that it should only be used under "proper" operating systems (e.g. any version of UNIX).

Re:Bald-Faced Alarmism

[ssimpson]

BUZZZ...You're plain wrong I'm afraid.

This story isn't discussing the use/deployment of ADK, but rather that someone can add an ADK packet to any PGP key without corrupting the key or alerting the software: the ADK packet isn't covered by the hash function.

Key escrow good or bad is an interesting topic, but this story is about a damn big hole.

Re:This is no surprise

[Cephas+Aurelius]

Thank you for a reasoned responce to a half thought out attack. This is the kind of information I would love to see more often. Until we as developers get a chance to discuss and study other peoples mistakes we shall forever live in the world of Software Artistry where personal opinion/pride and marketing goons get to set the standards we all get to live up to instead of the world of Software Engineering where an engineer says NO and a product stops on the line. Openness in source is important, especially for the entities that do not have bottomless pockets, but openness about our mistakes is more important so we don't repeat those mistakes.

Re:A bit of pedantry

[Mr.+Adequate]

Why did you have to go and do that? Now we can look forward to an "US vs. Rest Of World" flamewar along with the "Many Eyes Of Open Source" one.

OTOH, we could go all out and add Perl vs. Python. And I think it's been a full two stories since the last Gnome vs. KDE one. And maybe emacs vs. vi also fits in there somewhere (doesn't emacs have a GPG whatsit?).

OTTH, let's not and pretend that we had.

Different keys for different messages

[biftek]

afaik, it would not be possible to make the message appear different depending on the key used. The message is only encrypted once with conventional encryption, hence only one message. The conventional key is then encrypted with each public key, so you couldn't produce different messages for different keys (unless there is another flaw in PGP somehow).

Re:Close, but wrong on a couple of key points

[Ready+Aim+Fire]

Can we alter the key server to have it refuse to publish ADK's that are uncertified?

Re:This is no surprise

[wapwam]

If this guy really is the developer then a lot of things make sense. A lot of things can look like a government conspiracy when in fact all they are is a good old fashioned f*ck up. Never attribute anything to a higher intelligence, it's not there.

--- I'm not paranoid, just _very_ careful......

Look at the name

[funk_phenomenon]

It's called Pretty Good Privacy. I mean, the name was its fate. Guess it applies truly now though. It sounds funny when it applies to other areas, such as Pretty Good Security, or Pretty Good Doctor, though. I know the name has nothing to do with the way it works (well now it does), but it's a good note.

Also, there was a question on Jeopardy in The Internet category on what PGP stood for, last night. Interesting.

Even the samurai
have teddy bears,
and even the teddy bears

Re:Look at the name

[Admiral+Burrito]

first of all, why use RSA? just cause the us govt says you should? bah!

You should use RSA because it is a well-studied algorithm. When used properly it is secure.

secondly, while I'm not a crypto-scientist, wouldn't it be safer to use double-encryption? sure, the first layer might be computable in finite time.

Apparently you're not a crypto-scientist, if you've never heard of a "meet in the middle" attack (note: this is different from a "man in the middle" attack). Meet-in-the-middle is why people use 3DES instead of 2DES; 2DES is not really stronger than 57 bits even though the key size is 112 bits. 3DES is still subject to meet-in-the-middle; even though the key size is 168 bits it is "only" 112 bits strong (which is plenty strong).

With public-key algorithm like RSA it's even worse. Each key can be broken totally independantly no matter how many keys you use. "3RSA" would be a waste of time.

Just use a long RSA key. 1024 bits is enough, but computers are fast enough that you may as well use longer (2048 bits is plenty). The current state-of-the-art in factoring can break just over 512 bits. 1024 is a long way off unless you expect some massive breakthrough in quantum computers (the best quantum computers today are less useful than a pocket calculator).

I've often thought of changing pgp in small and subtle ways

NAI's key escrow function is a "small and subtle" change, and look what it's done. And NAI even has real "crypto-scientists".

Don't fuck around with crypto if you're not an expert. The experts get it wrong often enough; we don't need you screwing things up even more. We already have too many amateurs screwing things up.

(maybe some grind algorithm that uses a file that is present on my system and the destination system) and unless you had access to the ACTUAL source/binary that was used to en/de crypt, you'd have almost no hope in getting plaintext back.

This tells me you don't even understand what public key crypto is about.

I can't emphasize enough: Do not go "improving" crypto unless you already have a bunch of cryptanalytic experience.

Re:Look at the name

[TheGratefulNet]

first of all, why use RSA? just cause the us govt says you should? bah!

secondly, while I'm not a crypto-scientist, wouldn't it be safer to use double-encryption? sure, the first layer might be computable in finite time. but unless you give some clues about what the 2nd layer is (could even be rot13-hacked-and-patched), they'd have to try 'opening' that opaque mess with every known crypto alg. pretty time consuming.

I've often thought of changing pgp in small and subtle ways (maybe some grind algorithm that uses a file that is present on my system and the destination system) and unless you had access to the ACTUAL source/binary that was used to en/de crypt, you'd have almost no hope in getting plaintext back.

but like I said, I'm not crypto guy. but to me, using STANDARD sourcecode for crypto is just asking for problems. with unique peer-to-peer matching of specially modified pgp programs, I would surely sleep better at night.

...until they came knocking on my door after midnight, that is.

--

Re:Look at the name

[Whistler007]

There's probably more truth to that than you might suspect. Encryption using PGP is inherently more complex. Since it requires two keys, as opposed to one key in traditional crypto, the math gets a lot more complicated. You can't just use a reversible function.

While there haven't been any real structural attacks to PGP, up until this, it is theoretically more likely that structural attacks will work against PGP than standard crypto. Perhaps the NSA has already found a way? Also, traditional PGP uses the RSA encryption algorithm, which, if you follow Distributed.net, gets brute-forced regularly. If you really are scared of the government reading your email, then I doubt PGP will put your fears to rest.

Re:This can probably be detected by email recipien

[RoscoHead]

I may be wrong, but for the intended recipient of a message it should be possible to detect, that his key was compromised and used with a vulnerable copy of PGP. The receiving PGP/GnuPG just should check if there are any additional encodings which shouldn't be there regarding to the own local genuine version of the key.

Except by then it's too late - the "secure" e-mail is already compromised.

Re:Some discipline needed

[RoscoHead]

My public key has been generated with PGP for Win32, although I use it from GPG too. Am I vulnerable?

Not if you can be certain people sending you encrypted data only use your file to encrypt, and that file is secure from hackers...

Re:ADK flag in PGPKeys

[RoscoHead]

Would checking this field before using someone's public key guarantee that there was no ADK attached to that key or does this vulnerablility mean that the flag won't be set?

It should show correctly whether or not they have an ADK, but can't tell whether or not it's a valid ADK.

Of course, if you're really paranoid, you could refuse to use their public key if they have any ADK, but then you have to find some other secure way of communicating with them...

Analysis tools

[Seqram]

A lesson to be learned: gpg --list-packets is Your Friend. Get friendly with the packet format. And now that I know what that one "unsupported subpacket" type, "reserved for future expansion" is (it was unsupported in the old version of the OpenPGP standard I read) I can upgrade my PGPacket script, which analyzes PGP packets much as gpg does, only in Perl and in different amounts of detail. Hey, there was no GPG when I wrote it, give me a break.

Re:gpg

[gruppa]

No, it doesn't! PGP uses proprietary patented algorithms. GPG doesn't, never has and never will. THAT'S why it's superior to PGP.

If you refer to RSA then

• The patent runs out next month
• There's no technical reason that GnuPGP shouldn't use it. It's a very useful algorithmn.

Re:DeCSS sucks and so do you!

[a_cussword]

Don't pay much attention do ya? Since the 15th, you can get WinME on OEM machines. Also, if you're in the MSDN you get each and every beta of -every- M$ OS.

Re:Not new or secret

[edp]

> Example: Gandhi (yes, at nonviolent.org) has signed Dave Del Torto's key who has signed Theo Ts'o's key who is a kernel hacker and has signed the Kernel key.

How does this direction illustrate any problem? Your previous text speaks of signatures by trusted people, but this example is of a signature by an untrusted person using a fictitious name. A signature from an unknown person is not expected to be any good, so it is not a problem that it is not. If you had an example of a trusted person signing a key for a fictitious name, that would be a problem.

Re:You just thought you were safe!

[sqlrob]

Yeah, right

So you are a cryptologist that can guarantee you didn't somehow weaken the algorithm with a bad key choice or rounding error?

I know I'm not. That's one reason I haven't done cryptography software.

Re:I was having a chat...

[kevinmaly]

It's making me wonder whether we'll ever be able to report bugs that involve anything more than cursory examination. This kid went all the way, decompiled the program, posted every detail about how to determine if your system is vulnerable, how to fix it, etc, etc... and although he's doing EVERYONE a service, it's illegal to have helped like that. No one's going to sue him, I'm sure, but the point is, he broke the law He is a German Citizen is not subject the the DCMA because it is a American law and this occured in Germany.

Some discipline needed

[JCCyC]

Let me see if I got it right: I should be able to see if the public key I'm about to use contains more than one encryption key or not. Also, it seems more secure to get a public key from the recipient's home page than from a keyserver. Right?

The article is quite complex. Does anybody have a simple recipe on how to check a public key's kosherness with GPG? My public key has been generated with PGP for Win32, although I use it from GPG too. Am I vulnerable?

Question

[Captain+Derivative]

Maybe one of you /. guys who knows more about crypto and how this PGP bug/hole/backdoor (depending on your level of paranoid, judging by other posts) applies to this situation:

I use PGP 6.5.3 for Win32 to encrypt the e-mail between myself and home while I'm away at college. I generated both keypairs (mine and the home one) myself, and copied them between the two computers via diskette. In other words, the public keys themselves never traveled across an untrusted network (ie the Internet). So, does this PGP problem affect me in this case whatsoever?

Extending the situation, does this problem have any effect if keys are exchanged via some secure channel, where no potentially untrusted third party has access to the keys (and the chance to add an ADK to them)? So, don't trust the keyservers (which I never use) and you'll pretty much be OK as long as you get the public key directly from the person it belongs to?

(Note: those who want to tell me "Get GPG, you luser" need not reply. Although I could certainly use the DOS port of it, or the true *n*x version, my family at home can't. I doubt I could successfully teach them (who are much like the average computer users) to use a DOS program to encrypt e-mail through the AOL client (yes, they use AOL, despite my arguments against it). You're not going to have true "cryptography for the masses" until you make it easy-to-use for the average user (read: until it has a GUI interface on it).)

--

Re:Question

[phil+reed]

I use PGP 6.5.3 for Win32 to encrypt the e-mail between myself and home while I'm away at college. I generated both keypairs (mine and the home one) myself, and copied them between the two computers via diskette. In other words, the public keys themselves never traveled across an untrusted network (ie the Internet). So, does this PGP problem affect me in this case whatsoever?

Only if somebody gets ahold of your public key while you're not looking and modifies it to include the additional decryption key.

Extending the situation, does this problem have any effect if keys are exchanged via some secure channel, where no potentially untrusted third party has access to the keys (and the chance to add an ADK to them)? So, don't trust the keyservers (which I never use) and you'll pretty much be OK as long as you get the public key directly from the person it belongs to?

Sure, so long as that person keeps perfect control of the key. However, if he goes away for the weekend and a spook enters his house and modifies your public key on his machine, you're hosed.


...phil

Re:Just a thought really..

[herbierobinson]

Wouldn't help. The artical states that clear ADKs can also be replaced without detection.

Am i missing the point of PGP

[SubtleNuance]

The idea is that the ADK belongs to the secret police, or the user's employer, or some organization, and that organization can intercept the encrypted message and read it.

Ummmmmm am i missing something here? What good is PGP encryption if someone other than the certificate owner is _also_ given the key.

Re:Am i missing the point of PGP

[scott@b]

No - but that was the point of PGP before Key Escrow got involved. T oquote Bruce at the head of the story

A stupid idea, but that's the sort of thing that Key Escrow demands.

Way back in 1998 a bunch of us cryptographers predicted that adding Key Escrow would make system design harder, and would result in even more security problems. This is an example of that prediction coming true.

As for what good is it? Not much, except in the case of a business that uses encryption and wants to be able to recover messages when an employee is not around/gets fired/dies.

Re:gpg

[DrVxD]

> GPG shouldn't be used on WIN32 for example because there is no suitable source of crypto strength randomness
The Win32 Crypto API contains a function called "CryptGenRandom", which may (or may not) supply cryptographically random data. Of course, the governments of some technologically challenged nations consider this kind of thing to be a munition...

Re:Open Source at it's best

[DrVxD]

I have a bridge you may be interested in buying...

Re:This was rumored for awhile

[Mike1024]

Hey,

I don't think Linux versions take any notice of ADKs. In PGPFreeware (Well, in my version (6.5.3))Just go to PGPkeys, then Edit > Options > Advanced and select 'Warn When Encrypting Keys to keys with an ADK'

From the help file (Interestingly, the ONLY reference I can find to ADKs):

Warn When Encrypting Keys to keys with an ADK
Warns you if the key you are encrypting to is also encrypted to an Additional Decryption Key (ADK).

Just check this, and don't write people who have ADKs. Also, you can select View > ADK and if a key has an ADK attatched, the blob thing turns green. Check your keys on the server regularly, and if the blob comes on, revoke your key.

Just my $0.02,

Michael Tandy

...another comment from Michael Tandy.

Re:Implications for digital signatures?

[saforrest]

No, I meant exactly what I said with regard to public & private keys. One important property of most of public-key cryptography is the following:

E(D(M))=D(E(M))=M

that is, that decryption and encryption are inverse operations.

Signatures, at least in RSA, rely on this fact. When I encrypt something using my private key, anybody in the world can decrypt it if they have my public key. This allows anybody to verify that the original message actually came from me, because only I could have initially encrypted it (since only I have my private key).

My original question still stands: if Joe Random Hacker distributes a hacked version of Jill's public key, can he then appear to send messages as Bob to Jill?

Re:Implications for digital signatures?

[saforrest]

Since nobody seems to understand what I mean about digital signatures, please read about them here or read this excerpt:

To summarize, in public key cryptosystems, a sender can use his/her private key as his/her digital signature. Since it is only known by him/her a forgery of the signature is not possible with todays algorithms. At the other side of the communication link, the receiver can confirm the authorship of the message by using the public key of the claimed sender; so the public key provides an accurate authentication for the receiver. On the other hand, by crypting the message also with the receivers public key a sender, the sender prevents the intruders to obtain the message in the plain form. Although the intruders can know the public key of the sender, they still need the private key of the receiver to decrypt the overheared message. Hence, as long as the the private key is private to the receiver the overheared messages do not contain any meaning for the intruders.

Steve
--
Stephen Forrest
4N PM/CS, University of Waterloo

Implications for digital signatures?

[saforrest]

What are the implications of this vulnerability for digital signatures?

The standard thing to do when Bob is "signing" a message is for Bob to encrypt it with his private key. Then when Jill gets the message, she decrypts it using Bob's public key, and therefore knows it's from him.

Now, if Jill is using a hypothetical hacked up version of Bob's public key, does this mean that Joe Random Hacker can send messages that appear to come from Bob, since the public key is associated both with Bob and the Joe's bogus "ADK"?

Whoa

[scribblej]

I even used preview. I must be really tired. I'm not even going to bother posting corrections; just please read the parent message with some generosity of heart. I think the point is a good one.

Re:This isn't a real problem

[Millard+Fillmore]

THe problem is that some malfeasant party could send you an email pretending to be someone else and say "oops, I lost my private key. Here's the new public key." And you go on sending them stuff, none the wiser to the ADK.

Re:who the hell thinks this is funny?

[L0rdByt0r]

No, no. I translated it... User Friendly is a cookbook... A cookbook!

Re:So just use "authorized" keys.

[nestler]

Just make sure, when you get someone's public key, that it comes from an "authentic" source

This is potentially bad reasoning.

The whole problem with this vulnerability is that it is difficult to detect if someone has altered a V4 public key with an ADK because one of the places for inserting ADK's is not included in the checksum (fingerprint) of the key. So they key will appear to be perfectly self-signed even after tampering.

If you mean by "authentic" source, that your trusted friend emails you his key, this is not safe. Email is alterable. An adversary can insert an ADK into the mailed key, that will not be visible to you without specific scrutiny with a hex editor or special GPG incantations.

Use GPG (or PGP 2.6) with old style V3 keys to prevent all of these attacks.

Re:A bit of pedantry

[david+duncan+scott]

Who was it who said, "There are no absolutes"?

I'm not panic

[tswinzig]

Or did you mean to say:

"Those of you who aren't, panic."

-thomas

(GrammarNazi eat your heart out!)

Who is this mysterious we?

[sips]

Really, do you actually work for the NSA unlikely at all.

My understanding is that the military controls..

[sips]

their nuclear devices with on site control systems that no one has access to. I believe that the "football" that the president has is just a ploy. Only an idiot would hook up nuclear weapons control systems to the internet.

You can point them or they can be pointed at you

[sips]

And at least if you have them you can point back or point more back. They both work exceedingly well to prevent problems.

It's a matter of trust

[sips]

People should realize that the most potent form of use that pgp/gpg has are their use of webs of trust. Also you should get the public key that the person is expecting from that person. Anything else is open to fraud.

Well not involving it

[sips]

Ever heard of a little technique like they used in "A Cask of Amantalado" by Edgar Allen Poe. Classic revenge, nicely done.

Or get someone else to sort through it

[sips]

Most people don't have time to sort through thousands of lines of code looking for the little nasties. I doubt many people do even in the code business.

Re:Explanation of the problem

[LameBrain]

Sorry i didn't have time to read your whole comment but wouldn't it be a simple matter to create a program that checks incoming data for unsecure keys? Of course this would only guarantee that YOUR outgoing data was safe.

Re:Look at the name [what about it?]

[Whistler007]

Are you sure?? I'm really quite positive that most if not all of the contests that distributed.net has won were sponsored by RSA. Check this link out: http://www.distributed.net/rc5/ Maybe distributed.net is posting bogus news, but I higly doubt it :)

scanning for altered public keys?

[UpperClassTwit]

I don't really know much about this but it seems that the next logical step would be for someone to quickly write a tool that will scan public keys/keyservers to see how much this vulnerability was exploited prior to the vulnerability becoming general knowledge as of today or whenever. Is this a possible/feasible thing to do?

Re:incredible prediction

[SecurityGuy]

Congratulations on your fine grasp of the obvious. Please realize that policy makers, whether corporate or governmental, don't always have the background to recognize what you see as obvious. There's been a deluge of "Just do $FOO!" solutions of late, most of which are obviously flawed. These range from adding a "V chip" to consumer electronics to remedy deficient parenting, attempts to regulate internet content (again, to remedy deficient parenting), suing person A because person B used A's service to commit a crime (hi, MPAA & RIAA!), to making it more difficult for law abiding citizens to protect themselves (you DO have a right to do this, you know) while failing to prosecute and adequately punish criminals. Web "privacy" is addressed by privacy policies which nearly always say "This policy grants you no rights, and we can change it whenever we want anyway." None of these solve the underlying problem, but are used in spite of "obvious" flaws because it was easier than fixing the problem correctly or has good PR value.

There are quite a few out there who don't understand that system complexity correlates negatively with system security. Yes, it's obvious, but say it often and to anyone who will listen. When *everyone* notices the obvious statements, then you can stop.

Just a thought really..

[dietcrack]

Er, I know I'm pulling this directly out of my ass, and you know how *that* usually ends up, but is it possible to mickey-mouse a fix by appending _your own_ unauthorized ADK to your public key, or even an authorized one or 2?

How many ADK's is it possible to have on one key? Could an unauthorized ADK be added if you already had 2 authorized ADK's(with the 3rd party being yourself)in the key? Sort of like the equivalent of securing your house by breaking off keys in all the locks.

Any thoughts?

Re:why?

[valkyriejo]

it's not a matter of 'being secret' it's simply a matter of what you're comfortable with and how far you are willing to go to protect what you have invested yourself in. Passwords, credit card numbers, your first novel, why would you not want to protect yourself from prying or spying eyes?

Anyone who goes beyond the standard 'end user' mentality ( it seems to me ) should be wondering how and where they are vulnerable, should be working hard to protect their systems, data and personal information.

It's not paranoia, delusions of government control or some weird '1984-ish' world view, it's simply a matter of common sense.

Not a problem with PGP

[jabber01]

If I understand this correctly, this is not a problem with PGP per se, but rather with the corporate/government backdoor extension into PGP. PGP itself is sounds as stone, but yet another hack, intended to give enquiring minds a means to know has it's pants down.

As I understand the 'extended' scheme, there are actually two copies of the message in the PGP ciphertext. One is encoded with MY key, and is safe, and the other is encoded with Their key - which in some versions is not secured properly and may be compromised.

The workaround seems simple enough: pre-encode my message before giving it to the 'weak' version of PGP; this way, if Their version of the key is bogus, all that an eavesdropper can get is my original cipher. Or is there a problem with doubly-encoding a message with My key?

The REAL jabber has the /. user id: 13196

Re:So what's the answer

[toon7]

Yes, even the Linux version of pgp 5.x is vulnerable.

Actually, ALL versions except "classic" pgp (pgp2.6.x) are vulnerable. Yes, this INCLUDES GnuPG.

The problem is with the V4 key sigs, and new keys. The "depreciated" V3 sigs & RSA keys are safe.

Plese, follow the link & read the article. It's well worth it.
The link is HERE as well for your convienience.

-Tod.

Re:Open Source at it's best--not

The #1 problem with the "million monkeys" model of software development and testing is that all it does is deliver, in a short amount of time, code created by monkeys.

I'd much rather have a smaller number of people working much more intensively on something, ala the ongoing OpenBSD security audit, to catch problems before anyone is burned. "Sure, the bridge fell down, but look at how quickly we re-engineered and rebuilt it!" is cold comfort to those who were on the bridge when it collapsed.

What's vulnerable and what's not

There is a lot of confusion here about what versions of PGP/GPG are vulnerable and which are not. Here is what I believe to be an accurate summary.

The attack works when A modifies B's key, which must be in version 4 format, and passes it on to C. If C's software honors the extra ADK which was added on the sly, then all messages that C sends to B can be read by A.

So, there are three things required to make the security fail:

(1) A must be able to modify the key sent from B to C somehow.

(2) B must be using key format version 4

(3) C must be using sofware that honors ADKs.

Obviously (1) is not software-related. If you give your key directly to your correspondent, you're ok. (Though if you are really paranoid, remember that the adversary could modify it as it sits on B's hard drive, even after you've exchanged a few safe messages.)

The only software that avoids condition (2) is PGP 2.6.x, which sticks to key format version 3. PGP 5+ and GPG use version 4 and are both vulnerable to key tinkering! So all those saying GPG is not affected are only half-right. (Hopefully will be fixed soon.)

Condition (3) is met by PGP versions 5 and 6 on Windows. If C sends with PGP 2.6.x or GPG, the exploit will not happen.

So, the only way B can feel safe (being the receiver) is to use PGP 2.6.x. C can feel safe sending with that or with GPG.

-Mandos

This can probably be detected by email recipient

[kju]

I may be wrong, but for the intended recipient of a message it should be possible to detect, that his key was compromised and used with a vulnerable copy of PGP. The receiving PGP/GnuPG just should check if there are any additional encodings which shouldn't be there regarding to the own local genuine version of the key.

Of course this may give false alarms with emails which where intentionally encrypted to more than one recipient, but the software should probably be configurable to warn about this.

So you may get aware of the problem and can contact the sender of the email to see if he is using a tampered key / pgp version.

Re:gpg

[Bill+Currie]

Unless things have changed recently, when OpenSSH finds that there is no /dev/random (eg on Solaris), it insists that you supply the path to egd's pipe.

Bill - aka taniwha
--

Re:DeCSS sucks and so do you!

[phil+reed]

Members of the Microsoft Developer's Network have had access to Windows ME for a little while now. Our copy arrived in the mail today.


...phil

Re:Not new or secret

[phil+reed]

You can't be held in contempt of court for exercising your constitutional rights. Forget it. You can't be punished in any way for exercising your constitutional rights.

Yeah, right. Try telling that to Kevin Mitnick.


...phil

Re:Why key escrow?

[phil+reed]

use a 2048 bit key; I know plenty of people that use a 4096 bit key. Look at how long it's taking distributed.net to crack 64 bit encryption. I doubt the government as a whole has as much power as d.net.

Ignoring your basically clueless estimate of the computing power available to the government, did your calculation take into account the amount of effort it takes to break the session key? "Session key? What's that?" you ask. Gee, didn't bother to read the documentation, did you? Why don't you go do your math again, only this time use the session key size (128 bits, last time I heard), and see what results you get. Also, you might check a message somewhere above this one, wherein somebody suggests that the session key is pretty poor quality, thus making the keyspace that much smaller.


...phil

Re:gpg

[ninjaz]

Actually, Solaris doesn't have /dev/random or /dev/urandom

You can use methods such as egd.pl (as described and linked for download at http://www.lothar.com/tech/crypto/) to gather entropy for random seeds and a third party /dev/random device driver such as the one at http://www.cosy.sbg.ac.at/~andi/ though. Also, OpenSSH has its own internal method of gathering entropy - such as running netstat and viewing the ps table.

You're not *that* dependent on the OS for randomness, it just takes a bit more work if you start with a hobbled one.

That's why I'm part of the GNU Generation. . .

[SgtPepper]

Need I do more then post this link?

Re:That's why I'm part of the GNU Generation. . .

[Sneakums]

From what I can make of the section regarding GnuPG, it doesn't warn about the presence of the ADK. However, it places but one session key in the cryptogram, a key only recoverable using the user's private key.

But if you get a contaminated version-4 public key, GnuPG will not warn you about it. You should check any and all public keys that you use as decribed in the article. I'm sure the GnuPG team will not be long in adding functionality to do this automatically.

--
"Where, where is the town? Now, it's nothing but flowers!"

How to Find the ADK

[AftanGustur]

The only way to be *sure* that you or your correspondant aren't encrypting your data in such a way that a 3rd party can read it, is to check it yourself.

This utility might be of help: pgpdump-0.02.tar.gz

It will dump the format of your PGP encrypted data, telling you about all the keys that the data was encrypted for.

You can of course use this utility on both your own encrypted data and encrypted messages that you get from others.

--
Why pay for drugs when you can get Linux for free ?

Re:Explanation of the problem

[sde1000]

-----BEGIN PGP MESSAGE-----
Version: 2.6.2

Can't you just look at the header information, to see what version it was encrypted with?

It's a bit late by then - if the key was tampered with, and the version of PGP used to encrypt the data was vulnerable, then the data will be readable by whoever tampered with the key.

Of course, finding out that the key was tampered with (which you can do by checking for additional recipients in the encrypted message) is useful in itself.

Re:I was having a chat...

[sde1000]

In the MPAA vs 2600 case, it's the same thing. 2600 didn't do anything, just reported it, like this kid. Yet they are successfully sued. Not only that, but this security hole that's being pointed out in PGP was clearly found (or at least researched) by the decompiling of the PGP source and reverse-engineering it's storage specs, right?

Even if some of those specs are public, certainly the fact that PGP works this way is not published anywhere (previously) and someone had to "hack" this system to get the info. Clearly illegal behaviour under the DCMA under any circumstance.

The PGP source code is available - no reverse-engineering was done. Ralf, the author of the original paper, explicitly says that his tests were done without looking at the source to PGP: he was just testing the behaviour experimentally. And anyway, PGP is not a system for controlling access to copyrighted works, so has little to do with the DMCA.

Re:So just use "authorized" keys.

[Admiral+Burrito]

This discovery means that EVERY key on public key servers is potentially broken.

The quickest "patch" would be for the key servers to discard any parts of the public key block that are outside of the self-signed portion. This would prevent people from using the key servers to distribute poisoned keys.

Of course, that requires trusting your key server, which you shouldn't have to do (that's what key signing is for). At least it would make exploitation harder. As it stands a script kiddie could probably exploit the problem.

Re:Sue Him !

[arivanov]

Why funny? This is actually bloody right on target:

He has illegally circumvented a carefully designed protection mechanism !

Re:Hold on

[arivanov]

No you are not. I will like to add that:

• This one of the reasons that people still stick to RSA keys and PGP 2.6x. See OpenBSDs Theo de Raadt key for example.
• Get your current key from a public keyserver and carefully check it. With GPG. It should contain only sigs and self-sigs. There should be no complains on unknown packets as well.

Re:So just use "authorized" keys.

[Deven]

What we need is a tool which will read a key and tell you if it has a ADK.

The paper suggests using gpg --list-packets on the keyfile as an analysis tool. It appears that you should be looking for an "additional recipient request" subpacket, which (when attacked) would presumably not be hashed as in the example shown.

Win32

[Pope+Slackman]

>NONSENSE! GPG is released under the GPL. You can port it to any operating system you want. Why >don't you check your facts before posting to this site? Oh, I forgot, this is /. Never mind.

I don't think that's it at all. The previous poster was probably thinking of this-

From readme.w32 in the GPG W32 ALPHA release:
This is an alpha release of GnuPG for MS-Windows and WNT.
The random number generator should now work but has not undergone
a thorough testing, so we won't say anything about the quality of
the generated key and suggest that you don't use this version with
your production secret keys!


The new version of GPG (1.0.2) doesn't have this warning though, so I'd imagine they've validated the RNG.

-K

.~.
/V\
// \\
/( )\
8=^`=`^=D

Any known exploits?

[crow]

Is there any evidence of this being used in the field? Obviously people have tested the bug once it was reported, but has anyone used it in evesdropping?

It should be easy enough to write a program to check to see if any archived mail has the extra keys.

If people wouldn't use closed source encryption...

[ibis]

This wouldn't be a problem.

When I first looked into PGP, I first downloaded PGP from MIT. I noticed that the source code wasn't available. So I did a little more looking around.

And I found the International version at The International PGP Home Page. Grabbed the Unix PGP50i source code, compiled it and it works fine. When the bug in the randomness generator was found, I just patched it and recompiled!

BTW, if you are looking for all kinds of cool encryption source code for Linux, go to munitions.

Called Them

[augustz]

Forwarded, forwarded and forwarded again. Sales forwards to technical support forwards to sales. PGP has no problems, no there are no alternatives to PGP.

If anyone else thinks they will have better luck give them a call at 888-347-3925, would love to hear their perspective.

Re:This was rumored for awhile

[mindstrm]

I don't know about the fingerprint.. but the point was, the second key is not part of the 'signed' portion of the key.. so it would go unnoticed.

So what's the answer

[Gallowglass]

If I read this correctly, only some versions of PGP have this problem with the ADKs. So does anyone know which ones have this problem? Or (better) which ones don't have this problem.

And am I correct in my assumption that PGP remains OK as long as you don't create an ADK? Or am I misreading the message?

As to it being a stupid idea, I have to disagree. There are cases where it is important to allow someone else access to the data. For example, in business affairs. If the holder of say the secret ingredients to Drambuie (nectar of the Gods, yum, yum!) had the recipe encrypted and suddenly dropped dead, what then? If the only copy is encrypted and no-one else has the key, then the recipe is lost and the company folds.

Re:So what's the answer

[Sneakums]

And am I correct in my assumption that PGP remains OK as long as you don't create an ADK? Or am I misreading the message?

The problem is that anyone can add an ADK to a public key without affecting the key's fingerprint. In other words, it is perfectly possible for someone to set up a keyserver that adds an ADK for themselves to each key uploaded, and no-one will by any the wiser, unless they examine the key closely.

How they get their hands on the mail encrypted using those keys is of course outside the scope of this post.

Idea: A company could set up an internal auto-ADK-adding keyserver for its employees to use, and of course they have access to the outgoing mail spool.

--
"Where, where is the town? Now, it's nothing but flowers!"

Re:So what's the answer

[ssimpson]

If I read this correctly, only some versions of PGP have this problem with the ADKs. So does anyone know which ones have this problem? Or (better) which ones don't have this problem.

From the authors original message:

PGP-2.6.3ia UNIX (not vulnerable - doesn't support V4 signatures)

PGP-5.0i UNIX (not vulnerable)

PGP-5.5.3i WINDOWS (VULNERABLE)

PGP-6.5.1i WINDOWS (VULNERABLE)

GnuPG-1.0.1 UNIX (not vulnerable)

And am I correct in my assumption that PGP remains OK as long as you don't create an ADK? Or am I misreading the message?

NO! The problem is that ANYONE can create an ADK on the end of your existing PGP public key!

Re:Close, but wrong on a couple of key points

[jedinite]

Yes, the original certificate has to have been generated by a version of PGP which places the ADK packets outside of the cryptographic hash.

Yes, there can be more than one ADK packet, and there can be a valid ADK packet already onboard. In both cases, (if you created the certificate with a vulnerable version of PGP) you are still vunerable.

Think of it like this:

[----------1----------]
[----------2----------]
[----------3----------]
[----------4----------]
[^^^^^xx-5-xx^^^^^]
{----------6----------}

Lines 1-4 are the key certificate information... public key, username, email address, etc. Line 5 is the cryptographic hash (think digital signature) that says "hey, lines 1-4 contain exactly the following information". In vulnerable versions of PGP, line 6 is the ADK. When someone pulls down your public key (lines 1-6) their copy of PGP checks with line 5 to make sure that the entire public key is good and untampered. Since the ADK stuff can be added in line 6 without voiding the digital signature, the certificate checks out, even if someone has added an ADK to your certificate.

Bad stuff... big brother (or your boss, or etc) can now read all the data encrypted to you from others who used this tainted public key.

---------

Re:Answers about GnuPG

[Eremit]

You said: "See below a message from A.Back. Basically GnuPG is NOT a victim of this 'attack'."

As I understood the problem, this is not going to help. The problem is, that there could be added an ADK to a key that is in Version-4 format. GnuPG generates keys in this format as well. So, even if YOU use gnupg and see that the key of your communications partner is compromised by an ADK, _his_ software he uses to encrypt to you (e.g. some PGP for Windoze) does NOT warn about the ADK that compromises your public key on the keyserver.

Yes, you might check the keyserver again and again for your own key and revoke it as soon as you see an ADK in it there. But how do you know if your communication partner has an untampered key? You don't. And that is way Schneier asks for an additional finger print that checks the signatures, too.

To be safe from having your key possibly compromised, you have to have it in Version-3 format and that means you have to use PGP 2.6.3
or PGP 2.6.3i.

And this is different exactly how from ...

[overshoot]

someone passing around a modified version of PGP which surrepetitiously compromises the security of the message in some other way?

For instance, if my system admin put an altered PGP binary on the network which passed copies of the plaintext to a logfile, I would be at least as hosed. And it would be a lot less work for the Company. Similar exploits abound; after all how many of us actually read all of our source line-for-line?

In this case, the corrupted code came from NSI. (And you decided to trust NSI, of all people, because...?)

Re:gpg

[radja]

ok, this may not be true, but...

when pgp went corporate, some companies wanted a backdoor to their worker's email. So this was built in. gpg on the other hand is not written with companies in mind, it was written with privacy in mind. I would be surprised if gpg had this vulnerability too.

//rdj

Re:This is worrying, but:

[pi31415]

Remember, in an exchange of information, you are vulnerable if you or your correspondent uses vulnerable software. A public key generated by GPG is can still be compromised, and messages a correspondent sends to you (possibly containing your own sensitive information) may be intercepted if they are using one of the vulnerable Windows versions of PGP.

So, while it isn't time to panic, it's important to keep in mind that both ends of the channel need to be secure for the information transmitted through it to be secure. We can't be complacent just because we're using free software.

Peter

Re:This was rumored for awhile

[ragnar!]

A friend of a friend, who claims to be ex NSA, when asked about PGP, after a few beers, smiled, laughed and said something about the session keys not being as random as people might imagine.

This is a similar weakness to and early netscape implementation of SSL that accidentally randomized a very small portion of the intended keyspace, making it trivial to brute force.

The answer is probably in a random geneating dongle. I've seen several for around $100, targeted mostly at research lab types who need very random streams to make their research meaningful. It would be nice if someone wrote a driver for good old 2.62 classic that could take bits from one of these things.

----------------------------------------------

The war on drugs may be over soon.

On my first day in office I will pardon everyone who has been convicted of a non-violent federal drug offense - Harry Browne - Libertarian presidential candidate

We will fight for your privacy....

[Ronin+Developer]

Okay, before you call me a conspiracy nut, please hear me out.

If you recall, in the mid 90's, the Clinton administration, under the recommendations of the law enforcement community, authorized the creation of the Clipper chip with its Skipjack algorithm. At the same time, Phil Zimmerman was under intense pressure and scrutiny regarding his involvement with PGP (strong encryption not under gov't control and protected by US patents).

The Clipper chip, if you recall, came under serious fire when it was discovered that it used something called a LEAF (Law Enforcement Access Field) which, theoretically, would allow law enforcement to read communications after obtaining a warrant. It was all part of the big key escrow plan. However, the LEAF could be circumvented/forged, making it impossible for LEF personnel to read the communications. The Clipper chip all but died.

At the same time, Mr. Zimmerman faced serious problems, RSADSKI/Public Key Partners/Security Dynamics and the entire justice dept were on him like a fly on ...well you know. Suddenly, an arrangement was achieved between all parties. PGP became a commercial product. Mr. Zimmerman became part of Network Associates....he's probably bound to a legal agreement that prevents him from talking. Everybody was fat, dumb and happy.

That is...until this information regarding ADKs become public knowledge.

Now, it's an election year with the Presidency, many seats in congress, senate and top courts up for grabs. The democrats/Clinton administration have been bombarded with many incidents of "espionage". We've formed closer alliances with the Chinese (who seem to be at the heart of the allegations and a major contributer for the DNC). We've had more "secrets" stolen from us in the past eight years than we could probably count..including, supposedly, information on nuclear capability and designs, missile technology, ship and submarine design and capabilities, etc. It's been a real banner eight years for the "privacy" of the United States.

Al Gore, as Vice President, had been tasked with the country's encryption policy. It was he, I believe, who actually authorized the Clipper chip's development. It would have been him who would fought against (and then lessened) our national restriction on cryptographic exports. And, it was Mr. Gore who met with Jim Bizdos of RSADSI fame (and major contributer) on numerous occassions (okay..so did Clinton).

With the popularity of the Clipper Chip waning, why not solve your problem by going after the emerging cult standard, PGP, and introduce key escrow there. Was this how the legal action against Phil was ultimately resolved? What were the actual terms of the agreement?

With so many of us "registering" our keys on the various key servers, one has to wonder if the keys have been tampered with through the addition of the ADKs. How else have we been compromised.

And, finally, why is that this was kept under wraps until an election year that this "issue" was discovered and unveiled. How long has the commercial version of PGP (Version 5 & 6) been available?

So, we have a VP candidate touting how he's responsible for the internet, how he's all for our privacy and, of course, privacy of electronic transactions. But, if the certificates for PGP have been compromised, then what is to say that the certs issued by Verisign and others have not been compromised in a similar fashion (without the CAs even knowing it). What's to say that information regarding the generation of the keys has not been hidden in a field of the certificate (the certid???).

Remember, the RSA patent will expire next month. At that point in time, there will be zero control over the use of the algorithm. Hence, new (and legal) encryption products will become readily available. We have seen a slow erosion of the security of RSA algorithm over the past couple of years through the use of code cracking contests sponser by....RSADSI. (BTW...did you know that the Windows version of their library can only be compiled using the Microsoft compiler (unless you wanna pay for the "port")...What was the bit about the NSAKEY a little while back??????)).

There have been attacks by famous cryptographers against elliptic curves (see the www.rsasecurity.com website for their December, 1999 Cryptogram publicaton). They have stated that the EC keys with 109 bits can be cracked in a year using 12,000 processors. The article fails to mention that 160 bit keys are standard practice nor how much effort must be expended to crack a 160 bit EC key.

So, with my conspiracy theory aside, everybody has a lot to gain and/or lose with this information becoming public.

One side can claim a conspiracy to discredit the other side. The other side can say that "Mr. Privacy" doesn't really mean it (if they're smart). In the end, it is us lowly citizens that get burned as we try to keep our credit card and personal affairs private.

If anybody doubts what I have said, do the research yourself. Look back on the history of the Clipper Chip and Skipjack. Look up the presidential order that gave Gore the authority to control encryption policy (which he denied for the longest time). Look at the deals that have been made over the past eight years. Make up your own mind.

While I think the democrats have a lot of good ideas, I believe they have picked the wrong man for the job of President and, probably, VP. Do the research...then, vote your conscience.

Okay..you can call me a nut now.

Re:I was having a chat...

[Zak3056]

And anyway, PGP is not a system for controlling access to copyrighted works, so has little to do with the DMCA.

I beg your pardon? And just what exactly does it do, cook dinner and wash the dishes? Anything you write is technically copyrighted, and you are using PGP to ensure that only certain parties can access that material. Think about it.

Re:Answers about GnuPG

[pete-classic]

I don't know squat about cryptography, but it seems like key generation is only half the problem.

The other half is that a reliable PGP implimentation should refuse ENcrypt using a public key with unsigned ADKs.

I am pretty concerned about this, because I have to rely on SOMEONE ELSES (possibly compromised) key to protect what I say.

Or am I off base here?

-Peter

Re:Open Source at it's best--not

[mOdQuArK!]

I think having a small group of competent coders is probably the best way to keep a project from flying apart, but it's still good to have a million "monkeys" LOOKING & banging on the resultant product, although not necessarily being allowed to modify it (perhaps just giving "suggestions" :).

Miscellaneous Thoughts

[Greyfox]

IANAL either (But I play one on TV)

So you're saying if I send you random garbage or stuff encrypted to a key you don't have for some reason, the burden of proof is on you?

Someone could possibly make the argument that you can get the files but oops! Revealing the password could incriminate me. Sorry. How about some court approved immunity for anything in there? (Keeping in mind that I could potentially be the real killers)

I've wondered if someone really sneaky could set up a dual-key system such that if you decrypt with the fake key, you get an innocent message about the grocerys and the kids and stuff and if you decrypt against the real key (cleverly hidden as something else) you get the actual message. The trick would be doing that in such a way that it could not be proved that there was any other content in the message...

Fast Factoring

[Greyfox]

I suspect that the NSA has had a prime factoring shortcut for at least a decade now and has raised all this commotion about encryption as a red herring to prevent us from realizing that they can in fact read everything on the net right now.

Of course, I'm paranoid too...

Re:This was rumored for awhile

[rakslice]

They wouldn't really have to "break into" them... Anyone can re-upload a key, right?

GnuPG not vulnerable

[adric]

According to the posting at Cryptome, GnuPG 1.0.1 is not vulnerable. I'd assume that applies to all of the older versions as well.
--

You CAN fix this on the client...

[ugen]

Inasmuch as client (recipient) will have to be fixed in a following way:

a) Alert you every time someones certificate is used if it contains any additional keys.
b) Have an option of ignoring such messages.

You still have to notify the author that he is using a compromised certificate so the problem isnt entirely solved but it will be clearly visible.

This was rumored for awhile

[Smitty825]

If I remember correctly, this was rumored that the NSA had found a way to break the PGP encryption. That's probably why they haven't discouraged the useage of it all of these years...

Re:This was rumored for awhile

[Ig0r]

The encryption algorithms weren't 'broken', it's a bad implementation of key escrow (which is a dumb idea to begin with).

--

Re:Why key escrow?

[Trinition]

If the cops want in my house bad enough, they don't need a key -- they can break my door down. If the cops want in my e-mail bad enough, they don't need a key -- they can break my encryption.

I apologize for my comment. It was meant to be sarcasticly funny. Too many people are taking it seriously.

My whole point was that cops can enter a building, if necessary, without a key. What the government and law enforcement agencies are saying by asking for key escrow is that they just don't have enough brute force to break the encyrption as easily as they can break a door down.

I think the analogy is a good one because encryption and doors and both things we used to keep people out of things we want. The differnece is in how hard they are to break. Should the government just force us to use weaker encyrption rather than key escrow (i.e. a normal door instead of giving them a key to your house).

What would they do if I had a hardened concrete and steel bunker instead of a house? What if that started proliferating and became the defacto standard. Do you think law enforcement agencies would stand for that? Would they make you build weaker buildings or give them a key?

Why key escrow?

[Trinition]

If the cops want in my house bad enough, they don't need a key -- they can break my door down.

If the cops want in my e-mail bad enough, they don't need a key -- they can break my encryption.

Re:gpg

[bXTr]

GPG ... uses the same ciphers (and more...) that NAI/PGP uses.
No, it doesn't! PGP uses proprietary patented algorithms. GPG doesn't, never has and never will. THAT'S why it's superior to PGP. The only problem with GPG is that it should only be used under "proper" operating systems (e.g. any version of UNIX).
NONSENSE! GPG is released under the GPL. You can port it to any operating system you want. Why don't you check your facts before posting to this site? Oh, I forgot, this is /. Never mind.

ya know

[fluxrad]

I was thinking...the best way to get the government to realize that the vast majority of lawsuits are stupid and frivolous...and, more importantly - to get them to do something about it - is to have everyone we know file lawsuit against everyone else they know. but then i realized...

EVERYONE'S ALREADY FSCKING DOING THAT!!!!


FluX
After 16 years, MTV has finally completed its deevolution into the shiny things network

Speaking of stupid ideas ..

[kd5biv]

A stupid idea, but that's the sort of thing that Key Escrow demands.

Not that Key Escrow was a particularly smart idea in and of itself .. personally, if my public key gets tagged with an ADK, I want to know about it. Of course, that would make it harder for the secret police to stay secret.

Then again, secret police aren't a particularly brilliant idea either ..

Re:A couple questions for Mr. Simpson

[ssimpson]

I'm going to direct this at Mr. Simpson as he seems to be greatly involved in this discussion. I've been involved with PGP for years - I have no official involvement with NAI. More than happy to answer questions though:

In your opinion what is a good possible solution for this?

Apart from not introducing this devils-work "feature" in the first place? ;)

Seriously, there may not be a nice answer. Erm, the first thing to do would be check every keyserver and let people know that they have ADKs. Secondly, release future versions with "Encrypt to ADK" off by default. Thirdly, change the protcol so that ADKs are part of the signed/hashed packet.

Is NAI likely to release a patch?

Probably. May be easier to fix v7 and offer free upgrades to this version for existing customers. This would allow you to easily identify users who are still using versions that are "vulnerable". I doubt they'll do this though - that would cut revenue :(

What about a new version which does not include the ADK feature? I can also see how this might be a desired feature for corporations who want to use the ADK's for thier intended use. Is it likely NAI would release a kludge in a vain attempt to keep this feature in the code?

Yes, they'll probably keep this feature. I think the last couple of bugs (including the v5 randomness bug) have done a lot of damage to PGP's reputation, which is very sad.

What is your opinion of NAI and do you think they'll do the "right" thing?

I have a lot of respect for Phil and Will Price. But this is a financial decision, we'll see. If they don't do the right thing, then I'll be sure to broadcast it from the rooftops!

Obviously with the growing popularity or PKI this can be seen as a good thing or a bad thing. Good in the fact that it exposes an inherent flaw in public key cryptography and might make some people seriously think about the implications of a public key infrastructure.

It's not a problem with public key crypto though, it'ts just an awful implementation!

Bad in the fact that a widely used version of PGP has a potentialy serious hole in it. I wonder how long the NSA has known about this one.

Should be fairly easy to see if someone has exploited the bug - just check all keys on the keyserver.

I suppose I had better update my PGP FAQ now!

Cheers, Sam

Re:Open Source at it's best

[ssimpson]

Bzzzzzzt. Wrong. PGP is open source. See for example www.pgpi.com and download your own copy..........

Re:Read the entire analysis

[ssimpson]

No it doesn't GPG ignores packet 10 - it doesn't know how to encrypt to ADK's!

GPG keys are vulnerable, but only when being encrypted to by NAI PGP implementations.......

Re:gpg

[ssimpson]

I wrote: GPG ... uses the same ciphers (and more...) that NAI/PGP uses.

You wrote: No, it doesn't! PGP uses proprietary patented algorithms. GPG doesn't, never has and never will. THAT'S why it's superior to PGP.

PGP v5 onwards has implemented CAST & 3DES and DH/DSS as the asymmetric cipher - all non-proprietary. You may be refering to PGP v2.x - but that version doesn't suffer from these ADK problems and is thus totally unrelated to this current discussion...

I wrote: The only problem with GPG is that it should only be used under "proper" operating systems (e.g. any version of UNIX).

You wrote: NONSENSE! GPG is released under the GPL. You can port it to any operating system you want.

Have you ever used / installed GPG? If you read the documentation and source code is clear and obvious that GPG needs a decent source of randomness. GPG shouldn't be used on WIN32 for example because there is no suitable source of crypto strength randomness.

You wrote: Why don't you check your facts before posting to this site? Oh, I forgot, this is /. Never mind.

Coming from someone you clearly writes from a position of gross ignorance?

PS: Read my writings on GPG/PGP at: www.scramdisk.clara.net/pgpfaq.html if you doubt my credentials.

Re:Sue Him !

[NaughtyEddie]

Fuck, that does sound stupid, but you may be right: the guy who figures out factorization might be sued under the DMCA.

Mind you, he'd have to survive assassination by the CIA first ...

Secrecy: we need privacy and protection from THEM

[Frank+T.+Lofaro+Jr.]

• Privacy. Want us to see EVERYTHING (and I mean EVERYTHING) you do?... Didn't think so.
• Because so many things that shouldn't be illegal, are. Because so many things you have the moral right to do will still get you punished (harrassed, fired, sued, imprisoned, assassinated, etc). If you say something The Man doesn't like, you might really begin to appreciate secrecy.

Re:You just thought you were safe!

[Frank+T.+Lofaro+Jr.]

And unless you know a hell of a lot of intricate high-level mathematics, the NSA breaking your code will be the LEAST of your problems. Probably any halfway decent cryptoanalyst could break your code trivially.

Crypto ain't easy folks.

Rebel without a clue

[streetlawyer]

PGP has an alternative commercial use ... if you'd read the article, you'd see that the vulnerability would not affect documents already scrambled with PGP, so your example is balls anyway ... oh, what's the use? Slashdot wants to believe that the DMCA doesn't say what it says, and mere evidence isn't going to change that.

ADK flag in PGPKeys

[trust_no_one]

I'm using PGP 6.5.3 Freeware in windows and notice that there is a way to see if a key on my keyring or the server has an ADK. Go to the View Menu and click ADK if you don't see the field.

Would checking this field before using someone's public key guarantee that there was no ADK attached to that key or does this vulnerablility mean that the flag won't be set?

I was having a chat...

[scribblej]

Disclaimer: I need sleep. Excuse me for referring to the wonderful poster of this topic as "this kid" and excuse me for anything else I say that is nutty. I have great respect for "this kid" and how he's helped us all see the light.

...About this, when something occured to me. Now, people here have alredy suggested suing this kid under the DCMA, but it seems so appropriate an analogy to the MPAA case, it's scary.

Allow me to explain:

In the MPAA vs 2600 case, it's the same thing. 2600 didn't do anything, just reported it, like this kid. Yet they are successfully sued. Not only that, but this security hole that's being pointed out in PGP was clearly found (or at least researched) by the decompiling of the PGP source and reverse-engineering it's storage specs, right?

Even if some of those specs are public, certainly the fact that PGP works this way is not published anywhere (previously) and someone had to "hack" this system to get the info. Clearly illegal behaviour under the DCMA under any circumstance.

It's making me wonder whether we'll ever be able to report bugs that involve anything more than cursory examination. This kid went all the way, decompiled the program, posted every detail about how to determine if your system is vulnerable, how to fix it, etc, etc... and although he's doing EVERYONE a service, it's illegal to have helped like that. No one's going to sue him, I'm sure, but the point is, he broke the law.

"Life's gunna' suck when you grow up -- it sucks pretty bad right now."

I can't wait till Microsoft sues someone for revealing a security hole in Windows...

Re:Hold on

[nestler]

You are slightly wrong.

I you use an old V3 RSA key (the ones that PGP 2.6 creates), then there is no way they are inadvertantly encrypting stuff that an adversary can read (while thinking it is to you).

Ir you are using a new-style key (v4 of any of the two crypto algorithms), then your analysis is correct. Someone with the broken software may inadvertantly send mail thinking that it is only readable by you, when in fact it is readable by anyone who tampered with their copy of your public key.

This is very much worth knowing with all of the misguided "I use GPG so I am safe" posts floating around. Only old V3 keys are safe from other peoples' bunk software.

Stand back... Squint...

[jabber01]

From the authors original message:

*PGP-2.6.3ia UNIX (not vulnerable - doesn't support V4 signatures)
*PGP-5.0i UNIX (not vulnerable)
*PGP-5.5.3i WINDOWS (VULNERABLE)
*PGP-6.5.1i WINDOWS (VULNERABLE)
*GnuPG-1.0.1 UNIX (not vulnerable)


Well, call me a zealot, but I think I see a pattern emerging...

The REAL jabber has the /. user id: 13196

Re:Stand back... Squint...

[sde1000]

From the authors original message:

• PGP-2.6.3ia UNIX (not vulnerable - doesn't support V4 signatures)
• PGP-5.0i UNIX (not vulnerable)
• PGP-5.5.3i WINDOWS (VULNERABLE)
• PGP-6.5.1i WINDOWS (VULNERABLE)
• GnuPG-1.0.1 UNIX (not vulnerable)

Well, call me a zealot, but I think I see a pattern emerging...

If you're referring to the fact that the vulnerable versions of PGP were tested running on Windows, you're not seeing a pattern. PGP-5.5.3i and PGP-6.5.1i running on Unix are just as vulnerable.

How wide spread is the problem?

[TSayles]

It seems that someone with that understands this vulnerability could write some scripts to examine a sampling of keys on the public key servers (like certserver.pgp.com and pgpkeys.mit.edu:11371)and get an idea of how wide spread the problems might be. Is big brother really watching, or is there just a potential that he could be?

ADK: Retroactive Detection

[Effugas]

This is an awful bug, to be sure, but it's not invisible to the recipient. This is not a full fledged kleptographic attack, i.e. one where the added key material is invisible to anyone but the attacker.

ADKs *have* to leave additional encrypted content within the final package--somewhere, they've got to leave the decryption key in a detectable form for an attacker to come in and use to decrypt the one-time 3DES/Twofish/Other Symmetric Cipher Key. Now, it's possible that this internal key material could be stripped from the entire message and a valid hash reconstructed, much as the ADK can be added to a key without changing the overall key hash. But this would surprise and disappoint me--at that point, intent becomes a real question.

I have not intensively analyzed the PGP block format--I've been too busy working on SSH as of late--but it's necessary that *something* new is going to be added to the overall package, and that it's is going to be detectable, possibly without decryption, possibly without even the original public key. Whether it's strippable or not is a question mark, but people shouldn't be saying this is an invisible attack. It can't be.

Brutal, yes. Invisible, no.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Hold on

[jaa]

I keep hearing that this version is unaffected, and that version is unaffected. Aren't all of us affected:

"the sender who is responsible for encrypting to the ADKs, not the recipient."

Thus, if someone with a broken version of PGP sends me encrypted email, they might also encrypt to an adversary. Am I missing something?

Response from a PGP engineer

[rjh]

I am an employee of Network Associates and a programmer working on PGP.

We're looking into it. I can't say much more than that at this point. As soon as more information is known, I will post it as a reply to this thread. Hopefully, you'll see some official word on it here soon.

-- Rob

Re:Open Source at it's best

[MartinG]

PGP is not open source.
GPG, the GNU equivalent of PGP _is_ open source, and does not have this vunerability.

As for the police here in the UK, thats a whole other story, and if you ask me Mr Straw has no idea what problems he is creating for the police in the long term with his RIP bill either... but that's another story for another day.

A couple questions for Mr. Simpson

[LiNT_]

I'm going to direct this at Mr. Simpson as he seems to be greatly involved in this discussion.

In your opinion what is a good possible solution for this? Is NAI likely to release a patch? What about a new version which does not include the ADK feature? I can also see how this might be a desired feature for corporations who want to use the ADK's for thier intended use. Is it likely NAI would release a kludge in a vain attempt to keep this feature in the code? What is your opinion of NAI and do you think they'll do the "right" thing?

Obviously with the growing popularity or PKI this can be seen as a good thing or a bad thing. Good in the fact that it exposes an inherent flaw in public key cryptography and might make some people seriously think about the implications of a public key infrastructure. Bad in the fact that a widely used version of PGP has a potentialy serious hole in it. I wonder how long the NSA has known about this one.

How appropriate this quote of yours seems.

"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
-- Sam Simpson, July 9, 1998

LiNT

Read the entire analysis

[SEAL]

The problem extends to GPG, which also uses DH keys. It doesn't automatically generate them, but like the newer versions of PGP, it fails to detect when ADKs have been appended. So in this case, the newest Free OSS is also vulnerable.

Re:ADK? Disturbing.

[Hugh+D.+Hyatt]

I just looked in PGP Help. Here's what the item on 'additional decryption keys' says:

About Additional Decryption Keys

Additional Decryption Keys are keys that allow the security officers of an organization to decrypt messages that have been sent to or from people within your organization. There are two types of keys: incoming additional decryption keys and outgoing additional decryption keys .

Note

Although the security officer should not ordinarily use the Additional Decryption keys, there may be circumstances when it is necessary to recover someone's email. For example, if someone is injured and out of work for some time or if email records are subpoenaed by a law enforcement agency and the corporation must decrypt mail as evidence for a court case.

© 1999 Networks Associates Technology, Inc.

Re:So just use "authorized" keys.

[ssimpson]

ARRGH! Wrong!

This is a hole, a bug, a failiure. It's easily countered by including ADK information in the hashed/signed portion of the key.

This discovery means that EVERY key on public key servers is potentially broken. Hell, any naive users key could have this ADK packet and not even be aware! Using "authorised" keys, whatever that means, isn't a solution.

Sounds like a good job for a virus or IRC bot

[dpilot]

Scan for unsigned ADKs and report them back to the (supposed-to-be) owner, as well as the current holder. For that matter, scan for signed ADKs, as well, and report them, too.

It can't really be a virus or IRC bot, but why not a snipped of open source code. Get it out, and everyone scan every key they hold. Scan every key that you know you've put somewhere. Scan every key you use to send. Scan every key you touch.

For that matter, wrap it in with GPG.

While we're at it, send upgrade notices back to anyone who uses the wrong version of PGP to send us mail. Stomp it from the face of the Earth.

So just use "authorized" keys.

[saforrest]

I agree this is a problem, but it doesn't render PGP useless.

Just make sure, when you get someone's public key, that it comes from an "authentic" source.

Sue Him !

[Fruny]

He has illegally circumvented a carefully designed protection mechanism ! His discovery will cause bazillions of dollars to be lost to crime and piracy.

Worse even, sites such as Slashdot freely link to this information, destroying a successful business model (namely e-commerce) !

Don't let him get away with it, protect our right to profit !

And while you are at it, imprison all mathematicians who might find ways to break our precious cipher systems by finding a way to factor large numbers


(Sounds stupid, but wouldn't there be legal action in such a case ?

Trust goes one way

[XNormal]

there are lot's of fraudulent and dead keys in there and they are signed by someone who was trusted enough to sign the kernel key

This sentence is meaningless. Trust goes only one way. It doesn't mean anything if someone you don't know has signed a key.

I only added signers of keys to until the database was 4000 keys or so.

You're going the wrong way. You should trace the web of trust by looking for keys that are SIGNED BY that key, not keys that SIGN IT. Yes, I know, it's a little more difficult to find all the keys signed by a particular key. You need to download the entire database for that.

The only solution to this is a certified key authority.

According to your logic I could discredit the certificate authority by creating a bogus key and signing the CA's key with it...

----

Re:This is no surprise

[arivanov]

You forgot to add:

• deliberately made a mostly winshmoze system that does not work or does not even compile on alpha, mips and most 64 bit systems.
• replaced working random number generation with stuff that just does not work.

Not new or secret

[Mr+T]

This is a bug. The fact that you can modify an existing key is a serious oversight.

There was a great deal of arguing and discussion in cryptographic circles when this came out. The gist of it is that when you email something from work, you're employer can get sued for it, so employers want the capability to read that email, they are legally entitled to in the US. So they added "enterprise" or "corporate" support to PGP. In the business world it makes more sense then you think, they can also recover messages if you're harddrive crashes and takes your secret key away. If PGP is to ever take hold in that market, and PGP is about making money anymore, then it needs this so called ADK feature.

DO NOT FEAR. KEEP USING PGP and GPG if you're one of the 2% who do! If they include the ADK within the key signature then the problem goes away and it works as designed. ADK is a good thing because it makes the product usable in markets it would otherwise never make it. My fear is that this will be treated like Clipper was, and for some reason people get paranoid about having encryption where an authoirzed third party can decrypt your transimition so the proper thing to do is keep using no encryption because that is some how better.

As a former one of the original cipherpunks and a crypto freak I'm also beginning to come around on escrow and key certifcation services. I've built a key database starting with my keys and the linux kernel key. I only added signers of keys to until the database was 4000 keys or so. "The web of trust" doesn't work, there are lot's of fraudulent and dead keys in there and they are signed by someone who was trusted enough to sign the kernel key, or someone who was trusted enough to sign the key of one of the signers of the kernel key. I only went out 3 hops from the kernel key when I was making the database. If you play 6 degrees of Kevin Bacon with PGP keys and start with Linus and the kernel key you get to a bunch of trash really quickly. (this was all done with keyserver.net) Example: Gandhi (yes, at nonviolent.org) has signed Dave Del Torto's key who has signed Theo Ts'o's key who is a kernel hacker and has signed the Kernel key. There is nothing that prohibits anyone from signing another key, so essentially you can't trust a key simply because it was signed by somebody. The web is a direct graph and the arrows point the wrong way, you can only trust keys you trust enough to sign and you can't draw any conclusion from someone else's signature being on a key. There is also a tremendous amount of garbage in the web of trust.

The only solution to this is a certified key authority. The problem with that is they are a business (better than a governement agency) and they will want to use ADK to cover their ass. I think the risk can be managed to a reasonable point by having multiple companies with checks and balances. I would use a key authority if, a) it was seemless and all my email was encrypted with said key and b) key authority couldn't decrypt my key but a 3 party might be able to with a court order. I still wouldn't use it for encrypting my confessions of sexual peccadillos or my plans to over throw the government but it would be more than acceptable for email which is largely unencrypted now. (So not just can the govenrnment read it but your neighbors, your employer and foreign governments can all read it too.) As it stands, if I was told by a court to decrypt my email and there wasn't an ADK capability, I would go to jail for contempt until I did, so when it comes down to it, if some one wants to forcably read your email and a court agrees you're going to lose that battle either by decrypting it or by going to jail and testing your will.

This isn't a real problem

[GavK]

This doesn't affect anyone who uses the correct method of getting a public key. AKA EMAIL (At worst)

It's only keyservers that this could occur on. Personally I keep mine on my web pages, anyone who wants to mail me securely uses that, or the one I mail them...

Rule: Only use keyserver keys for verification of an unknown source, and even then, if it's important don't trust it...

EG I get the CERT key from their web site

It's your security people, don't give it to someone else...

Can we ask someone within PGP?

[hvoss]

Does anybody have a good contact within PGP (pref. close to Phil Zimmerman) and get them to comment on this? (Like how can this be detected, other ways to safe guard against this.... etc.).
Hans Voss
---

Re:Can we ask someone within PGP?

[ssimpson]

Will Price, Director of Engineering, PGP Security, Inc. has been alerted and is looking into it - he expects to report back to PGP-USERS mailing list Thursday.

ADK? Disturbing.

[setecastronomy]

Maybe I completely missed the blaring announcements, but why is it that this is the first time that I'm hearing about this ADK 'feature?' If my version of PGP is automatically including an extra key along with my own, so that the government can snoop on my encrypted mail, it should be made blatantly clear, every time I generate a key. Or maybe I'm missing something obvious?

Re:ADK? Disturbing.

[benedict]

You misread. PGP is not generating an ADK. PGP is *accepting* ADKs that are attached to public key certificates but not signed by the issuer of the certificate.

Here is the exploit sequence: you issue a PGP certificate, containing your public key. You may be not be running a version of PGP with the bug, it doesn't matter. Joe Evil attaches another public key to your certificate as an ADK, and passes it around. Someone who is running the vulnerable PGP uses your certificate to encrypt a message to you. However, they *also* make a copy encrypted with Joe Evil's public key! And they won't even know it unless they examined your certificate manually. Now Joe can read their message.

So the problem here isn't that PGP is attaching an ADK, but rather that someone could later attach an ADK and the tampering would be not detected by someone using the certificate to communicate with its issuer.

--

Re:ADK? Disturbing.

[ssimpson]

ADK has been a part of the NAI PGP implementation since v5 (e.g. 3 years ago).

There was a lot of arguing about including this feature, it's been documented in the user manual since v5, it's been talked about on newsgroups etc and it's been documented quite widely.

One saving grace is that the PGP standard (RFC2440) DOESN'T include this feature - so the problem should be fairly confined to users of NAI/PGP.

Again an example of Free OSS being better than the commerical alternatives? ;)

I'm really surprised that anyone who follows PGP to any degree has failed to notice? Anyway, it's documented in my PGP DH vs PGP RSA FAQ at: http://www.scramdisk.clara.net/

Rgds,

Sam

This is no surprise

[Randseed]

This is absolutely no surprise. It's also inconceivable that this is simply an honest bug. It's a backdoor.

PGP 5.x was, is, and will continue to be a screwup.

They deliberately changed the command line interface to break every PGP-interoperable tool out there.

They released the Windows version months before the UNIX version.

When they finally were releasing the UNIX versions, they were binary-only.

Eventually, they got around to releasing the source code to the world. This was supposedly because of legal concerns, but that explanation doesn't really hold water. The binaries were released and restricted to the U.S. The source code was written in book form and exported, then to be scanned in, which was legal. Of course, the binaries made it out of the U.S. in about 45 minutes. The source code could have easily been released and restricted to the U.S., but wasn't. This didn't sound right at the time either.

They deliberately broke interoperability with older versions of PGP, which in effect forced people to upgrade. Because they didn't release source code, people were upgrading with binary-only versions.

Anybody searching the Cypherpunks archives from around the time PGP 5.0 was released can find several large threads on these topics.

So, again, it doesn't come as a surprise that PGP Incorporated is a government shill organization, particularly after they joined the KRAp.

Screw them. They and the government can go fuck themselves.

Re:This is no surprise

[the_quark]

As the programmer largely responsible for 5.0 Unix (flaws and all), I've got to respond to some of this. Some of it is simply not factual, other parts of it contain opinion which I consider to be incorrect. Disclaimer, first - I do not work for NAI or PGP, Inc., and my words are most certainly my own and not theirs.

Point-by-point:

1) "PGP 5.x was, is, and will continue to be a screwup". Your opinion, obviously. I agree some things could have been better with it (especially the Unix version).

2) "They deliberately changed the command line interface to break every PGP-interoperable tool out there." No. *I* deliberately changed the command line interface (with much deliberation) for two reasons: Once Unix development started, we were on a very tight schedule, as the Windows and Mac versions had already been released (see blow). The primary goal was to make it possible for Unix to decrypt the new key formats as quickly as possible. There was not time, under the schedule, to reimplement the 2.x command line item-for-item. Given that we were creating a security application, my opinion was that it was much better to create a new interface and break everything than to try to emulate the old interface and perhaps subtly break other things without complaint. The secondary goal was to improve the interface to be more Unix-like and less DOS-like (note, for example, that under 2.6.2, you can't do something like "pgp -ea president@whitehouse.gov *.txt"). In the end, I suspect my interface failed; I know I didn't have time to think about it, design it or get the input I would've liked. So, it is technically acurate that the change was "to break every...tool out there," but the intent was to prevent subtle security flaws in programs that interoperate with PGP.

3) "They released the Windows version months before the UNIX version." True enough. We were a startup, in those days, and, if you look at Wired Magazine from the same time period, youll find we did significant layoffs at the company around that time. As 5.0 was rolling out, PGP, Inc. was realizing that it didn't really have enough funding to keep going as an independent entity. As a result, we didn't have any resources to devote to Unix. Windows and Mac were our focus because that was what was needed for the corporate clients we needed to keep the business going. Once Windows 5.0 shipped (I was a developer on that, as well), work was begun on 5.0 for Unix. I was the only person on the non-crypto team (who were now busy working on 5.5) who had any knowledge of Unix, so I got to do it all by myself, with essentially no other resources. So, yes, it came out later. We didn't have the people to do it any sooner.

4) "When they finally were releasing the UNIX versions, they were binary-only." In July of 1996, we published the first source-code books, containing the PGP 5.0 source code from the late June releases of 5.0 for Windows and Mac. Our intent with these books was to make the source code available for international review within the constraints of US export law at the time. It took about a month to get them together, as we had to write code to format the books correctly, etc. With every subsequent book, it took less time for the code to be released, as we improved the process. In the July book, we included the "alpha" version of PGP 5.0 for Unix that I was developing, at the time. It had a lot of flaws, but let people see the code. This was scanned in and became available online in late July or early August (if memory serves). Once the final Unix version was released, the code was available in the next source code book. I know we discussed publishing an addendum with the 5.0 Unix code, final version in it, but I don't recall if that happened. The 5.0 Unix source-code book may have been delayed because PGP, Inc. was running out of money, that fall. As I recall, the code itself was completed in September, but it may be true that the code was not actually published for some months, afterward. Again, this was not due to a conspiracy, but due to a lack of funds.

5) [Long rant about publishing the books not making sense]. We did not publish the source code electronically for very specific export-control reasons. At the time, it was illegal (punishable with jail time) to let that type of stuff out of the country. We felt that, as a company, we had a big, fat target on us, and we had to do everything in a completely legal fashion. As I said in number four, I agree that the Unix source code didn't come out as quickly as it could, but that had more to do with a lack of funds than anything else.

6) "They deliberately broke interoperability..." The answer to this one is really simple: Patents. We wanted to release a completely freeware version of PGP. We couldn't, as long as RSA was a requirement. Therefor, we had to move the product off of RSA.

Finally, you complain that "PGP Incorporated is a government shill organization..." Technically speaking, "PGP, Inc." doesn't really exist since they were purchased by Network Associates, Inc. in December of 1997. I'm going to assume what you're trying to get across here is that, earlier in 1997, PGP, Inc. was a government shill organization (as evidenced by its poor support of Unix, apparently).

This was an accusation frequently leveled against us at the time, but which we were not permitted, as employees, to counter. I've never really said anything about it, before, and certainly slashdot is not the kind of place where this is going to be widely read an understood, but:

PGP, Inc. was a lot of things. It was a startup with too much money, too fast, that burned that money too quickly on unimportant things. It made a lot of business decisions, some which I agree with (making Windows a priority, for example) and many of which I didn't. It was quite amusing, at the time, to see how everything we did was considered evidence of a government conspiracy. My wife was the build mistress, and she'd make some trivial change to a README and the next thing you'd know there would be people on Usenet analyzing the wording for proof that the NSA was controlling us.

In the end, PGP, Inc. lasted about a year and a half. I joined in November, 1996, when they had gotten their first financing. Like a lot of other people, I took a significant pay cut to come work on PGP, because of my love of the product and desire to help create a product that would help people protect their privacy and resist tryanny. Almost every employee there (and certainly all the engineers) were there for similar reasons. We did a lot of things that I think we'd change, in retrospect. But I personally lost thousands of dollars in lost wages working for PGP (and got basically nothing in the sale to NAI). The reason all of us were there was to build a company that could take encryption to the masses. The strategy we chose was to do that by selling a product to large corporations.

You may have complaints about what we did. I personally was never happy with PGP 5.0 for Unix, and can understand why others (especially those who actually paid for it) might have complaints about it. But to say that we did it in concert with the government or to aid the government in any way is not just ridiculous, it's offensive. Staring a company from the ground-up is hard, and it's not surprising that we made mistakes. But they were all honest ones.

This is worrying, but:

[phaze3000]

GNUPG isn't affected - so those of us who like a software free-as-in-speech don't have an problem.

It can only affect you if you get a key from an untrusted source. For most /.ers this won't be an issue.

So basically, don't panic just yet. Of course, this will no doubt start a number of 'many eyes of open-source' arguments.

Would Updating Keyservers Help?

[Brian+Ristuccia]

Wouldn't the impact of this vunerability be reduced significantly if the various public keyservers were reconfigured to reject keys uploaded with unsigned ADK's?

Explanation of the problem

[sde1000]

The reason that this vulnerability in PGP is serious is that you can't fix it by updating your copy: you have to ensure that everybody who might send you encrypted messages has a copy of PGP without the ADK bug. This is difficult, especially when you don't know who your correspondants are going to be ahead of time.

Here is a summary of Ralf's paper that I wrote while reading it yesterday:

When a PGP key-pair is generated, the public key is stored in a file as a number of typed 'packets': the key itself, a userid, etc. One of these packets is a signature of the previous packets made with the private key, to bind them together (so that, for example, the userid cannot be changed).

In PGP version 3 files, it's as simple as that.

In PGP version 4 files, the signature packet contains some extra fields: two sets of 'subpackets'. One set of subpackets is included in the hash, and therefore cannot be tampered with. The other is not included in the hash.

Some versions of PGP allow "Additional Decryption Keys" to be specified for public keys. They are specified by including the additional key identity in a subpacket in the signature. The idea is that when you create a key pair and sign the public part, you sign the identities of any ADKs that you want to use. This is supposed to prevent ADKs from being specified without the consent of the holder of the private key.

Unfortunately, some versions of PGP respond to ADK subpackets in the non-hashed part of the signature. This is a blatant bug. They treat them exactly as if they were hashed, i.e. they show up as ADKs in the list of 'key properties', and messages encrypted to the public key include packets allowing the session key to be obtained by holders of the ADKs.

Tested versions of PGP:

• PGP-2.6.3ia UNIX (not vulnerable - doesn't support V4 signatures)
• PGP-5.0i UNIX (not vulnerable)
• PGP-5.5.3i WINDOWS (VULNERABLE)
• PGP-6.5.1i WINDOWS (VULNERABLE)
• GnuPG-1.0.1 UNIX (not vulnerable - doesn't support ADKs)

The problem won't go away until all vulnerable versions of PGP are retired, since it's the sender who is responsible for encrypting to the ADKs, not the recipient.

As far as I can tell, nobody has done the experiment of uploading a modified signature packet to a keyserver yet - will it replace the existing signature packet, or be ignored? (Or possibly be stored in addition, in which case more experiments need to be done: what will various versions of PGP do if given keys with multiple self-signatures?)

More followup: I've found the bug in the PGP-6.5.1i-beta2 source code. I'm fairly sure it will be identical in all the other vulnerable versions.

In file libs/pgpcdk/priv/keys/keys/pgpRngPub.c, I see two functions: one called ringKeyFindSubpacket(), which finds a subpacket from a self-signature packet, and ringKeyAdditionalRecipientRequestKey(), which uses ringKeyFindSubpacket() to search for ADK subpackets.

ringKeyFindSubpacket() is declared as follows:

PGPByte const * ringKeyFindSubpacket (RingObject *obj, RingSet const *set, int subpacktype, unsigned nth, PGPSize *plen, int *pcritical, int *phashed, PGPUInt32 *pcreation, unsigned *pmatches, PGPError *error);

In particular, the "phashed" parameter is used to return whether the subpacket was in the hashed region. Now, looking at the call in ringKeyAdditionalRecipientRequestKey() I see this:

krpdata = ringKeyFindSubpacket (obj, set, SIGSUB_KEY_ADDITIONAL_RECIPIENT_REQUEST, nth, &krdatalen, &critical, NULL, NULL, &matches, error);

...the "phashed" value isn't checked (or even asked for)!

Ok - it's an obvious implementation bug, and the bug itself should be easy to fix. I won't comment on the wisdom of designing in ADKs in the first place; the problem now is, how do we get everyone to replace their vulnerable copies of PGP? And, since that won't ever happen completely, how do we minimise the remaining problem?

It should be easy to spot keys that have been tampered with: use gpg --list-packets and look for ADKs in the unhashed section of the self-signature. You can also check to see whether you are receiving messages that have been encrypted to more than one recipient: look for multiple session key packets.

Finally, I recommend that regular sweeps are made of the public key servers for keys that have been tampered with.

Close, but wrong on a couple of key points

[jedinite]

Read the #98 post a little farther down for a better (read: more detailed) summary. It DOES matter what version of PGP you create the key with, and thus your details of the exploit are a little off...

In short, the exploit sequence is as follows:

Alice creates a PGP certificate. This is composed of her public key plus a bunch of other "packets" containing info like UserID, etc. One of these packets is essentially a checksum, containing a signature of the previous packets. In NAI PGP version 5, the ADK packet is included OUTSIDE of the checksum (so you can attach an ADK packet without affecting the checksum (and thus without generating an error message that the key has been tampered with). Alice then uploads her PGP public certificate to the pgp root server.

Carol wants to read any messages to Alice, so she goes out, pulls down Alice's certificate, and adds an ADK packet featuring her own public key. Then Carol uploads the new copy of Alice's key. Because the ADK packet is not included in (not checked by) the signed hash packet, this addition is not noticed as making the certificate invalid.

Now Bob decides he wants to send an encrypted message to Alice, so he pulls her public key from the pgp root server. He gets the latest copy, which is the version with Carol's ADK packet. So when Bob encrypts a message to Alice, it's just like he selected to encrypt the message to Alice and to Carol. So Carol can then intercept the email and decrypt it using her own private key.

---------

Lawsuit

[bwt]

I have copyrighted works under protected with PGP. I did not concent to the TPM I use being circumvented. Bruce's description of this vulnerability is clearly a circumvention technology that will be used to pirate my work and is thereby illegal under the DMCA.

I'm going to file a lawsuit against Bruce and Slashdot and anyone who links to Slashdot and anyone who reads the article and anyone who points at or otherwise refers to a person who reads the article. In fact, Bruce himself is circumvention technology, so I'm suing his parents, too, along with the major airlines, both of which have distributed Bruce.

You're too late

[Vanders]

We have already read all of your Emails. Thank you for your cooperation. Please stay in your seat, someone will soon arrive to collect you for processing. Yours,

MIB

Answers about GnuPG

[ssimpson]

See below a message from A.Back. Basically GnuPG is NOT a victim of this "attack".

> -----Original Message-----
> From: Adam Back [mailto:adam@cypherspace.org]
> Sent: 24 August 2000 15:12
> To: Ross.Anderson@cl.cam.ac.uk
> Cc: ukcrypto@maillist.ox.ac.uk; ietf-openpgp@imc.org
> Subject: Re: Serious bug in PGP - versions 5 and 6
>
>
>
> Ross Anderson writes on uk-crypto:
> > Ralf Senderek has found a horrendous bug in PGP versions 5 and 6.
> >
> > [...]
> >
> > He's written a paper on his work and it's at
> >
> > http://senderek.de/security/key-experiments.html
> >
> > Since NAI joined the Key Recovery Alliance, PGP has supported
> > "Additional Decryption Keys" which can be added to a public key.
> >
> > The sender will then encrypt the session key to these as well as to
> > your main public key. The bug is that some versions of PGP respond
> > to ADK subpackets in the non-signed part of the public key data
> > structure. The effect is that GCHQ can create a tampered version of
> > your PGP public key containing a public key whose corresponding
> > private key is also known to themselves, and circulate it. People
> > who encrypt traffic to you will encrypt it to them too.
>
> Amazing, and really unfortunate. Those of us who invested large
> amounts of effort in ensuring the ADK subpackets were not included in
> the ietf openPGP standard can be pleased we succeeded -- otherwise
> gnuPG and other implementations may now also have contributed to this
> risk. As it is gnuPG doesn't honor ADK requests, and all the rfc2440
> says about them is:
>
> 10 = placeholder for backward compatibility
>
> At the time I was suggesting that if PGP really must insist on
> creating software to escrow communications (the primary argument being
> that people didn't want to lose access to the stored mail as opposed
> to being able to have designated third parties snooping mail in
> transit) they should use storage key escrow.
>
> My main premise was that communication key escrow is too risky because
> an outside attacker gets the plaintext:
>
http://www.cypherspace.org/~adam/cdr/

"Keys used to encrypt email which is transmitted over the Internet are
more valuable to an attacker than keys used to encrypt stored files
because of the relative ease with which an attacker can obtain copies
of emailed ciphertext. Stored encrypted files in contrast are
protected by all the physical security systems the company is relying
on to protect it's paper files, plaintext data stored on disks, and
backup tapes. [...]"

There was also lots of political discussion of how unwise it was for
PGP to create a escrow infrastructure which could as easily be used by
governments as by SEC companies to archive their employees
communications.

And people quoting Phil Zimmermann a few years earlier complaining
about ViaCrypt's PGP4 for business variant which had "escrow" in the
form of a third party "encrypt-to-self" config file setting.

And I believe I recall the NSA or some other US government body
picking up on the CMR / ADK mechanism and holding it up as evidence
against the claim that key recover was complex ... "see PGP did it,
this works".

> It's of scientific interest because it spectacularly confirms a
> prediction made by a number of us in the paper on `The Risks of Key
> Recovery, Key Escrow, and Trusted Third-Party Encryption'
> that key escrow would make it
> much more difficult than people thought to build secure systems.

Yes. It really highlights the truth in the statement about the
new risks introduced by adding key escrow.

Adam