FW: Serious bug in PGP - versions 5 and 6
Thu, 24 Aug 2000 11:18:38 +0100
Further to my previous mail, Stephen has gone some way towards identifying
which versions are vulnerable (see note below). The worrying part to me is:
"The problem won't go away until all vulnerable versions of PGP are retired,
since it's the sender who is responsible for encrypting to the ADKs, not the
Can anyone with 5.5.3i confirm that the default action is to warn when
encrypting to ADKs?
> -----Original Message-----
> From: Stephen Early [mailto:Stephen.Early@cl.cam.ac.uk]
> Sent: 24 August 2000 11:12
> To: email@example.com
> Subject: Re: Serious bug in PGP - versions 5 and 6
> Brian Morrison writes:
> > On Thu, 24 Aug 2000 08:09:07 +0100, Ross Anderson wrote:
> > >The problem won't go away until all vulnerable versions of PGP are
> > >retired, since it's the sender who is responsible for encrypting to
> > >the ADKs, not the recipient.
> > The key issue from my point of view is which PGP versions
> exhibit this
> > bug. Is there a list by OS for instance? Might this exist within
> > products that use the PGP SDK?
> Yes - the bug I found was within the PGP SDK from NAI.
> At a guess (i.e. without finding and checking the source code to all
> available versions) I would say that the bug exists in all versions of
> PGP and the PGP SDK from NAI since the ADK feature was implemented.
> The original paper is at
> http://senderek.de/security/key-experiments.html - it is quite
> detailed. I sent Ross a simple summary, which I reproduce here:
> When a PGP key-pair is generated, the public key is stored in a file
> as a number of typed 'packets': the key itself, a userid, etc. One of
> these packets is a signature of the previous packets made with the
> private key, to bind them together (so that, for example, the userid
> cannot be changed).
> In PGP version 3 files, it's as simple as that.
> In PGP version 4 files, the signature packet contains some extra
> fields: two sets of 'subpackets'. One set of subpackets is included in
> the hash, and therefore cannot be tampered with. The other is not
> included in the hash.
> Some versions of PGP allow "Additional Decryption Keys" to be
> specified for public keys. They are specified by including the
> additional key identity in a subpacket in the signature. The idea is
> that when you create a key pair and sign the public part, you sign the
> identities of any ADKs that you want to use. This is supposed to
> prevent ADKs from being specified without the consent of the holder of
> the private key.
> Unfortunately, some versions of PGP respond to ADK subpackets in the
> non-hashed part of the signature. This is a blatant bug. They treat
> them exactly as if they were hashed, i.e. they show up as ADKs in the
> list of 'key properties', and messages encrypted to the public key
> include packets allowing the session key to be obtained by holders of
> the ADKs.
> Tested versions of PGP:
> PGP-2.6.3ia UNIX (not vulnerable - doesn't support V4 signatures)
> PGP-5.0i UNIX (not vulnerable)
> PGP-5.5.3i WINDOWS (VULNERABLE)
> PGP-6.5.1i WINDOWS (VULNERABLE)
> GnuPG-1.0.1 UNIX (not vulnerable)
> The problem won't go away until all vulnerable versions of PGP are
> retired, since it's the sender who is responsible for encrypting to
> the ADKs, not the recipient.
> As far as I can tell, nobody has done the experiment of uploading a
> modified signature packet to a keyserver yet - will it replace the
> existing signature packet, or be ignored? (Or possibly be stored in
> addition, in which case more experiments need to be done: what will
> various versions of PGP do if given keys with multiple
> Programs like gnupg can be used to list pgp files at the packet level;
> you can look to see whether messages you receive have been encrypted
> to additional keys (gpg --list-packets). You can also look at public
> keys and check for ADK subpackets in the non-hashed part of the
> Steve Early
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to firstname.lastname@example.org