Does GNUPG have the PGP ADK weakness?

[Huels, Ralf KSV]

> Some statements by Ralf Senderek may have led to some confusion and
> I have the impression that he published his paper without contacting
> NAI prior to give them a chance to fix the bug.  

It seems to me that two aspects of the problem have been happily mixed
up by several authors. 
One is whether a given software uses the ADK feauture and encrypts to an 
ADK.
The other is whether a key can be modified to contain an illicit ADK.

Ralf´s statement that GnuPG is vulnerable seems to be based on the fact 
that keys generated by GnuPG can be modified by an attacker to contain
an unwanted ADK. No user of GnuPG will have a problem with that as GnuPG
does not use the ADK feature at all (i.e. not even with authentic ADKs). 
However, if that key is subsequently used as an encryption key by someone 
using an unfixed PGP version, it will encrypt to the illicit ADK. 

In that sense, GnuPG-generated keys are vulnerable to the ADK bug even if 
GnuPG itself is not.

Tschuess,
Ralf

-- 
Ralf Hüls                                                  Bismarckplatz
KSV Kreditschutz-Vereinigung GmbH                           44866 Bochum
Score-Consult                                         Tel. 02327/9114-28
http://www.schufa.de/                                 Fax. 02327/8 40 27


 

-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org