Does GNUPG have the PGP ADK weakness?

Huels, Ralf KSV Ralf.Huels@schufa.de
28 Aug 2000 10:43:31 +0200



> Some statements by Ralf Senderek may have led to some confusion and
> I have the impression that he published his paper without contacting
> NAI prior to give them a chance to fix the bug.
It seems to me that two aspects of the problem have been happily mixed up by several authors. One is whether a given software uses the ADK feauture and encrypts to an ADK. The other is whether a key can be modified to contain an illicit ADK. Ralf´s statement that GnuPG is vulnerable seems to be based on the fact that keys generated by GnuPG can be modified by an attacker to contain an unwanted ADK. No user of GnuPG will have a problem with that as GnuPG does not use the ADK feature at all (i.e. not even with authentic ADKs). However, if that key is subsequently used as an encryption key by someone using an unfixed PGP version, it will encrypt to the illicit ADK. In that sense, GnuPG-generated keys are vulnerable to the ADK bug even if GnuPG itself is not. Tschuess, Ralf -- Ralf Hüls Bismarckplatz KSV Kreditschutz-Vereinigung GmbH 44866 Bochum Score-Consult Tel. 02327/9114-28 http://www.schufa.de/ Fax. 02327/8 40 27 -- Archive is at http://lists.gnupg.org - Unsubscribe by sending mail with a subject of "unsubscribe" to gnupg-users-request@gnupg.org