NAI PGP open to ADK attack

Thomas Gebhardt gebhardt at HRZ.Uni-Marburg.DE
Thu Aug 24 11:25:11 CEST 2000


just read an interesting article from Ralf Senderek


He pointed out that newer Versions of NAI PGP accept
Additional Decrytion Keys (ADKs) that are not protected
by the self signature of the public key. Therefore it
is possible to add ADKs to the public key without the
permission of the key owner and without changing the
fingerprint, making it hard to detect the manipulation.

Gnupg is not affected. But, of course, public keys genereated
by gnupg can also be manipulated to include an ADK.
NAI PGP users who use that compromised key for encryption
will eventually (and unintentionally) use that ADK, too.

Kind Regards, Thomas

Th. Gebhardt (gebhardt at
HRZ, Hans Meerwein Strasse,        Phone: +49-6421/28-23572
D-35032 Marburg, Germany           Fax  :            -26994

More information about the Gnupg-devel mailing list