NAI PGP open to ADK attack

Rich Wales richw at webcom.com
Mon Aug 28 09:46:54 CEST 2000 

Earlier, I suggested:

	RW>> Modify GnuPG to notify the recipient whenever a
	RW>> message has been encrypted to any key that isn't
	RW>> in the user's secret keyring.

to which Werner Koch replied:

	WK> You don't encrypt to a key in the secret keyring.
	WK> That is the whole point of public key encryption.
	WK> You use a public key to encrypt a message.

Sorry if what I wrote was confusing.  I chose my preposition carefully
("to", not "with"), but just to be totally clear, let me rephrase what
I was trying to say.

I was proposing that GnuPG should warn the recipient whenever he/she
tries to decrypt a message which has also been encrypted with someone
else's public key -- that is, whenever a message contains one or more
encrypted packets which are not marked as being decryptable using any
key belonging to the recipient -- where the concept of whether a key
"belongs" to the recipient is equivalent to whether the secret portion
of the key is included in the recipient's own secret keyring.

Upon further thought, I would change this proposal so that warnings
would not be produced simply because a message is encrypted to its
sender as well as to its recipient.

And if the OpenPGP spec were to be expanded at some future time to
include ARR's/ADK's, then I would modify my proposal so that warnings
would not be produced in connection with an encrypted packet which
is marked as being decryptable using a key that is listed as an ADK
within any key belonging to the recipient (in the recipient's own
copy of his/her own key, of course).  However, I =would= produce a
warning if an encrypted packet corresponded to an ADK within the
sender's key.

My underlying idea is that if I get an encrypted message which is
decryptable by anyone else other than the sender, me, or (in the case
of a work-related key, my company), I want to be sure to know this
fact.  Clearly, in some cases, it is perfectly normal for messages
to be encrypted to several recipients -- but I should still be aware
if a given message is not totally private.

Werner also wrote:

	WK> There are no v5 packets and there are no reasons to
	WK> change the current v4 protocol.  ARR are not defined
	WK> in OpenPGP and even PGP has an option to warn you
	WK> about their use.

After some more thought, I think I agree with Werner, and I hereby
retract my suggestion about a new packet format.  Right now, as far
as I can see, a PGP 5/6 user can =NOT= in fact successfully encrypt
a message using a key produced by GnuPG -- because even though both
programs use the same packet version (v4), the algorithms used by
default in GnuPG are not supported by any current version of PGP.

Then again, it is certainly conceivable that a future version of PGP
(or some other encryption program) might be expanded to support the
GnuPG algorithms.  If that ever happens, then a GnuPG user could be
vulnerable to bugs in PGP or other non-GnuPG software.  This suggests
(in my view) that a good defensive strategy against messages being
inadvertently encrypted to unauthorized recipients needs to include
checks in the recipient's software -- not simply fixing bugs in every
possible sender's software.

Rich Wales         richw at webcom.com         http://www.webcom.com/richw/

More information about the Gnupg-devel mailing list