NAI PGP open to ADK attack
Thomas Gebhardt
gebhardt at HRZ.Uni-Marburg.DE
Thu Aug 24 11:25:11 CEST 2000
Hi,
just read an interesting article from Ralf Senderek
(http://senderek.de/security/key-experiments.html)
He pointed out that newer Versions of NAI PGP accept
Additional Decrytion Keys (ADKs) that are not protected
by the self signature of the public key. Therefore it
is possible to add ADKs to the public key without the
permission of the key owner and without changing the
fingerprint, making it hard to detect the manipulation.
Gnupg is not affected. But, of course, public keys genereated
by gnupg can also be manipulated to include an ADK.
NAI PGP users who use that compromised key for encryption
will eventually (and unintentionally) use that ADK, too.
Kind Regards, Thomas
--
Th. Gebhardt (gebhardt at hrz.uni-marburg.de)
---------------------------------------------------------------
HRZ, Hans Meerwein Strasse, Phone: +49-6421/28-23572
D-35032 Marburg, Germany Fax : -26994
More information about the Gnupg-devel
mailing list