NAI PGP open to ADK attack

Rich Wales richw at
Sat Aug 26 10:10:05 CEST 2000

Thomas Gebhardt reported the PGP ADK bug, and wrote:

	> Gnupg is not affected.

Correct, in the sense that GnuPG does not recognize ADK's (additional
decryption keys or "additional recipient requests") in version-4 keys.
So, GnuPG users can't inadvertently encrypt messages to illegitimate
extra keys.  However, I think GnuPG users are still vulnerable to the
problem if other people encrypt messages to them using NAI PGP.

	> But, of course, public keys generated by gnupg can
	> also be manipulated to include an ADK.  NAI PGP users
	> who use that compromised key for encryption will
	> eventually (and unintentionally) use that ADK, too.

Also correct -- and, in my view, a serious concern.  If someone uses
NAI PGP to send me a message encrypted with my GnuPG key, his copy of
my key could have been contaminated with an illegitimate ADK, and his
message to me would end up being encrypted to the extra key.

I've been thinking of possible solutions or workarounds.  Comments on
the following?

(1) Modify GnuPG to notify the recipient whenever a message has been
    encrypted to any key that isn't in the user's secret keyring.
    (This situation isn't necessarily an error, of course -- the
    sender may have intentionally encrypted the message for multiple

(2) Modify the OpenPGP standard to switch over to a new signature
    packet format (version 5?), not recognized by NAI PGP.

Rich Wales         richw at

More information about the Gnupg-devel mailing list