Does GNUPG have the PGP ADK weakness?
Huels, Ralf KSV
28 Aug 2000 10:43:31 +0200
> Some statements by Ralf Senderek may have led to some confusion and
> I have the impression that he published his paper without contacting
> NAI prior to give them a chance to fix the bug.
It seems to me that two aspects of the problem have been happily mixed
up by several authors.
One is whether a given software uses the ADK feauture and encrypts to an
The other is whether a key can be modified to contain an illicit ADK.
Ralf´s statement that GnuPG is vulnerable seems to be based on the fact
that keys generated by GnuPG can be modified by an attacker to contain
an unwanted ADK. No user of GnuPG will have a problem with that as GnuPG
does not use the ADK feature at all (i.e. not even with authentic ADKs).
However, if that key is subsequently used as an encryption key by someone
using an unfixed PGP version, it will encrypt to the illicit ADK.
In that sense, GnuPG-generated keys are vulnerable to the ADK bug even if
GnuPG itself is not.
Ralf Hüls Bismarckplatz
KSV Kreditschutz-Vereinigung GmbH 44866 Bochum
Score-Consult Tel. 02327/9114-28
http://www.schufa.de/ Fax. 02327/8 40 27
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of "unsubscribe" to firstname.lastname@example.org