NAI PGP open to ADK attack

Rich Wales richw at
Mon Aug 28 16:38:00 CEST 2000

Earlier today, I wrote:

	> Right now, as far as I can see, a PGP 5/6 user can
	> =NOT= in fact successfully encrypt a message using
	> a key produced by GnuPG -- because even though both
	> programs use the same packet version (v4), the algo-
	> rithms used by default in GnuPG are not supported by
	> any current version of PGP.

I did some more investigation on this point, though, and now I'm not
so sure any more.

If I understand the way PGP 5/6 and GnuPG work (someone please speak
up if I'm mistaken this time), PGP 5/6 =can= successfully encrypt to
a GnuPG (ElGamal) key, by using the CAST5 cipher and ZIP compression.

I tried this earlier, and it didn't work for some reason -- but I tried
it again just now, and it worked fine, so I guess I did something wrong
in my first test.

Now, I really do hope I was right earlier (and confused now), because
if I am right this time, it seems to me that a GnuPG user =can= get
stung by the PGP ADK bug right now -- if a malicious attacker adds a
PGP-style ADK to the unhashed portion of a GnuPG key on a server, and
if some naive user (using a non-bug-fixed PGP 5/6) subsequently creates
a message encrypted using this altered GnuPG key.


I know I'm going to end up with egg on my face either way -- either
because I was wrong earlier and right now, or because I was right
earlier and wrong now -- but truth is more important than pride when
it comes to this sort of thing, I suppose.

Rich Wales         richw at

More information about the Gnupg-devel mailing list