NAI PGP open to ADK attack
richw at webcom.com
Sat Aug 26 10:10:05 CEST 2000
Thomas Gebhardt reported the PGP ADK bug, and wrote:
> Gnupg is not affected.
Correct, in the sense that GnuPG does not recognize ADK's (additional
decryption keys or "additional recipient requests") in version-4 keys.
So, GnuPG users can't inadvertently encrypt messages to illegitimate
extra keys. However, I think GnuPG users are still vulnerable to the
problem if other people encrypt messages to them using NAI PGP.
> But, of course, public keys generated by gnupg can
> also be manipulated to include an ADK. NAI PGP users
> who use that compromised key for encryption will
> eventually (and unintentionally) use that ADK, too.
Also correct -- and, in my view, a serious concern. If someone uses
NAI PGP to send me a message encrypted with my GnuPG key, his copy of
my key could have been contaminated with an illegitimate ADK, and his
message to me would end up being encrypted to the extra key.
I've been thinking of possible solutions or workarounds. Comments on
(1) Modify GnuPG to notify the recipient whenever a message has been
encrypted to any key that isn't in the user's secret keyring.
(This situation isn't necessarily an error, of course -- the
sender may have intentionally encrypted the message for multiple
(2) Modify the OpenPGP standard to switch over to a new signature
packet format (version 5?), not recognized by NAI PGP.
Rich Wales richw at webcom.com http://www.webcom.com/richw/
More information about the Gnupg-devel