ADK discussion and GnuPG

Nils Ellmenreich Nils@infosun.fmi.uni-passau.de
Fri, 25 Aug 2000 15:41:46 +0200 (CEST)


Hi all,

the german online news from Heise Verlag has an article on the PGP/ADK
vulnerability. In there, they claim that PGP >= v.5 and GnuPG are
affected, only PGP 2.6.x to be secure. This has provoked an intense
discussion on their bulletin board. I think they're wrong ... :-)

What happened?

They refer to http://senderek.de/security/key-experiments.html where Ralf
explains why in his view ADKs are a bad idea. He explains, how ADKs work
in V4 key certificates (which are used by new PGPs and GnuPG).

Then they have taken the following paragraph from Ralf's page:

 How to Avoid Version-4-Signatures

 But how can you be sure if you have got someone else's public key with
 a Version-4-self-signature?

 Since DH-keys all have Version-4-self-signatures, you should avoid to
 use those for encryption. But detecting V4-RSA-keys is sometimes
 difficult. Using PGP553i for Windows V4-RSA-keys do present themselves
 as V3-RSA-keys with key-IDs and fingerprints computed in
 Version-3-style. Upgrading to PGP651i for Windows shows the same key
 with a new V4-style key-ID and with a different new fingerprint but
 truncated to the first 16 bytes, so that it looks like a V3-style
 fingerprint, which it clearly is not. So if you see 16 byte
 fingerprints you cannot be sure that the key does not have a
 Version-4-self-signature. To be sure you have to go into byte analysis
 of the key packets. Using GnuPG make things worse because all
 V4-signatures I have created on RSA-keys were made using this program.


>From this last comment they conclude that GnuPG is also affected. This
neglects the fact that GnuPG *ignores* the ADK part. The only problem is (which Ralf might be aiming at), that a GnuPG user "Bob" might think "I'm not affected, nothing can happen to me, 'cause I'm using GnuPG". What in fact could happen is that Bob's generated V4 certificate is being extended by an ADK from the malicious "Mallory". Mallory fools PGP-user "Alice" into believing that the extended Bob-certificate is genuine. Alice includes this key into her keyring and uses it to encrypt messages to Bob. If Mallory intercepts these messages, he can read them. BUT: this all depends on PGP using ADKs in the first place and not checking whether the ADK is signed (that's what the current fuzz is about). So it's a problem of Alice using a vulnerable version of PGP.
>From this to claim "GnuPG is vulnerable" is very wrong, at least in my
view. So, GnuPG is not "affected"! Does anyone disagree with this explanation? Cheers, Nils -- Nils Ellmenreich - Fakultaet fuer Math./Informatik - Nils @ http://www.fmi.uni-passau.de/~nils - Univ. Passau - Uni-Passau.DE -- Archive is at http://lists.gnupg.org - Unsubscribe by sending mail with a subject of "unsubscribe" to gnupg-users-request@gnupg.org