[lug] commercial version of PGP: big ADK bug
Neal McBurnett
nealmcb at avaya.com
Sun Aug 27 09:42:45 MDT 2000
There has been some big news in the last week relating to a sobering
bug in the commercial PGP Inc software, which includes Additional
Decryption Key (ADK) support. It puts *all* people who have published
new-style key certificates at risk: Alice's key cert can be modified
by Eve such that when Bob uses PGP Inc software to encrypt to Alice
using the modified key cert, the message is also encrypted so Eve can
read it.
After reading the material below, you'll see that some aspects of the
exploit are difficult.
The sender must acknowledge a warning dialog that an ADK is
associated with the certificate [are two ADKs treated differently
than one?]
The sender must already have the key for the bogus ADK on their local
keyring.
I'd like to know what the user sees if Alice's original key already
has an ADK for "Trent", and if Eve is for example a casual
correspondent of Alice's who wants to also read Alice's
business-related email from Bob. When sending mail to Alice, does Bob
see something different than he would without the second ADK?
E.g. does he get a warning mentioning both Trent and Eve? Can he turn
that warning off??
Other providers of PGP-compatible software (e.g. OpenPGP) whose code
is not buggy are furious since it indirectly affects their users
(e.g. if Alice uses OpenPGP, sends email to Bob who uses PGP Inc, who
replies to Alice, then Bob's reply (possibly also quoting text from
Alice) might be compromised. They are pointing out once again the
many reasons to not support ADKs at all:
http://www.cert.org/advisories/CA-2000-18.html
http://www.pgp.com/other/advisories/adk.asp
http://www.counterpane.com/key-escrow.html
http://slashdot.org/article.pl?sid=00/08/24/155214&threshold=3
Sigh,
Neal McBurnett <neal at bcn.boulder.co.us> 303-538-4852
Avaya Communication / Internet2 / Bell Labs / Lucent Technologies
http://bcn.boulder.co.us/~neal/ (with PGP key)
More information about the LUG
mailing list