NAI PGP open to ADK attack
richw at webcom.com
Mon Aug 28 16:38:00 CEST 2000
Earlier today, I wrote:
> Right now, as far as I can see, a PGP 5/6 user can
> =NOT= in fact successfully encrypt a message using
> a key produced by GnuPG -- because even though both
> programs use the same packet version (v4), the algo-
> rithms used by default in GnuPG are not supported by
> any current version of PGP.
I did some more investigation on this point, though, and now I'm not
so sure any more.
If I understand the way PGP 5/6 and GnuPG work (someone please speak
up if I'm mistaken this time), PGP 5/6 =can= successfully encrypt to
a GnuPG (ElGamal) key, by using the CAST5 cipher and ZIP compression.
I tried this earlier, and it didn't work for some reason -- but I tried
it again just now, and it worked fine, so I guess I did something wrong
in my first test.
Now, I really do hope I was right earlier (and confused now), because
if I am right this time, it seems to me that a GnuPG user =can= get
stung by the PGP ADK bug right now -- if a malicious attacker adds a
PGP-style ADK to the unhashed portion of a GnuPG key on a server, and
if some naive user (using a non-bug-fixed PGP 5/6) subsequently creates
a message encrypted using this altered GnuPG key.
I know I'm going to end up with egg on my face either way -- either
because I was wrong earlier and right now, or because I was right
earlier and wrong now -- but truth is more important than pride when
it comes to this sort of thing, I suppose.
Rich Wales richw at webcom.com http://www.webcom.com/richw/
More information about the Gnupg-devel