NAI PGP open to ADK attack

Werner Koch wk at gnupg.org
Mon Aug 28 19:22:19 CEST 2000 

On Mon, 28 Aug 2000, Rich Wales wrote:

> I was proposing that GnuPG should warn the recipient whenever he/she
> tries to decrypt a message which has also been encrypted with someone
> else's public key -- that is, whenever a message contains one or more

Okay, I understand.

> My underlying idea is that if I get an encrypted message which is
> decryptable by anyone else other than the sender, me, or (in the case
> of a work-related key, my company), I want to be sure to know this

It is not easy to figure out the senders key.  He might use one which
is not on a keyserver becuase it is only used for the local copy of
the mail.  I have sometimes seen an lot of other recipients in an
encrypted mail which I don't know - the question here is whether it
makes sense to encrypt at all.

Currently GnuPG lists all the recipients keys until it found one which
can be used for decryption.  This should probably be changed to list
all keys for which a message has been encrypted and a MUA can do lookups
on those keys to display user IDs or give other warnings.

> a message using a key produced by GnuPG -- because even though both
> programs use the same packet version (v4), the algorithms used by
> default in GnuPG are not supported by any current version of PGP.

This should not happen.  Each key has a list of preferred algorithms
and an OpenPGP implementation should take the intersection of all keys
to find the algorithm to use.  Some problems do occur when a GnuPG
created key is later used with PGP where some of those algorithms are
not imp,emnted (actually this is Blowfish). 

> inadvertently encrypted to unauthorized recipients needs to include
> checks in the recipient's software -- not simply fixing bugs in every
> possible sender's software.

However, because the sender's implementation might be a closed source
one, it can create several messages or drop all recipients except for
the one this copy of the message is actually sende to.  I think some
encrypted mailing lists systems do it like that (in that case to keep
the size of the message small).  

Any reporting facility on the recipients site has to assume that the
sender plays by the same rule.

  Werner

-- 
Werner Koch				GnuPG key:  621CC013
OpenIT GmbH                             http://www.OpenIT.de

More information about the Gnupg-devel mailing list