FW: Serious bug in PGP - versions 5 and 6

Simpson, Sam s.simpson@mia.co.uk
Thu, 24 Aug 2000 15:17:34 +0100 

Further insightful comments from Adam Back (a "good guy" from the UK).



Regards,

Sam Simpson
http://www.scramdisk.clara.net/


> -----Original Message-----

> From: Adam Back [mailto:adam@cypherspace.org] 

> Sent: 24 August 2000 15:12

> To: Ross.Anderson@cl.cam.ac.uk

> Cc: ukcrypto@maillist.ox.ac.uk; ietf-openpgp@imc.org

> Subject: Re: Serious bug in PGP - versions 5 and 6

> 

> 

> 

> Ross Anderson writes on uk-crypto:

> > Ralf Senderek has found a horrendous bug in PGP versions 5 and 6.

> > 

> > [...]

> > 

> > He's written a paper on his work and it's at

> > 

> >         http://senderek.de/security/key-experiments.html

> > 

> > Since NAI joined the Key Recovery Alliance, PGP has supported

> > "Additional Decryption Keys" which can be added to a public key.

> > 

> > The sender will then encrypt the session key to these as well as to

> > your main public key. The bug is that some versions of PGP respond

> > to ADK subpackets in the non-signed part of the public key data

> > structure.  The effect is that GCHQ can create a tampered version of

> > your PGP public key containing a public key whose corresponding

> > private key is also known to themselves, and circulate it. People

> > who encrypt traffic to you will encrypt it to them too.

> 

> Amazing, and really unfortunate.  Those of us who invested large

> amounts of effort in ensuring the ADK subpackets were not included in

> the ietf openPGP standard can be pleased we succeeded -- otherwise

> gnuPG and other implementations may now also have contributed to this

> risk.  As it is gnuPG doesn't honor ADK requests, and all the rfc2440

> says about them is:

> 

>        10 = placeholder for backward compatibility

> 

> At the time I was suggesting that if PGP really must insist on

> creating software to escrow communications (the primary argument being

> that people didn't want to lose access to the stored mail as opposed

> to being able to have designated third parties snooping mail in

> transit) they should use storage key escrow.

> 

> My main premise was that communication key escrow is too risky because

> an outside attacker gets the plaintext:

> 

	http://www.cypherspace.org/~adam/cdr/

"Keys used to encrypt email which is transmitted over the Internet are
more valuable to an attacker than keys used to encrypt stored files
because of the relative ease with which an attacker can obtain copies
of emailed ciphertext. Stored encrypted files in contrast are
protected by all the physical security systems the company is relying
on to protect it's paper files, plaintext data stored on disks, and
backup tapes. [...]"

There was also lots of political discussion of how unwise it was for
PGP to create a escrow infrastructure which could as easily be used by
governments as by SEC companies to archive their employees
communications.

And people quoting Phil Zimmermann a few years earlier complaining
about ViaCrypt's PGP4 for business variant which had "escrow" in the
form of a third party "encrypt-to-self" config file setting.

And I believe I recall the NSA or some other US government body
picking up on the CMR / ADK mechanism and holding it up as evidence
against the claim that key recover was complex ... "see PGP did it,
this works".


> It's of scientific interest because it spectacularly confirms a

> prediction made by a number of us in the paper on `The Risks of Key

> Recovery, Key Escrow, and Trusted Third-Party Encryption'

> <http://www.cdt.org/crypto/risks98/> that key escrow would make it

> much more difficult than people thought to build secure systems.


Yes.  It really highlights the truth in the statement about the
new risks introduced by adding key escrow.

Adam

-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org