[Image] [Image] [Click here.] [Welcome to Slashdot][Encryption] [The Media][GNU is Not Unix][KDE][Games] faq PGP Vulnerability Discovered Slashdot Login code Posted by Hemos on [Encryption] Nickname: osdn Thursday August awards 24, @11:01AM Password: privacy from the slashNET keep-an-eye-on-your-key-ring dept. older stuff Bruce Schneier, of Counterpane, rob's page sent in the word that a Don't have an account preferences vulnerability has been found in yet? Go Create One. A submit story PGP. He attached an explanation user account will allow advertising below of what's going on, as well you to customize all supporters as a paper concerning the risks of these nutty little past polls key escrow. boxes, tailor the topics stories you see, as well about From Bruce: as remember your comment jobs viewing preferences. hof PGP Vulnerability Related Links Sections A very serious PGP vulnerability * Bruce Schneier 8/22 was just discovered. Using this * vulnerability apache vulnerability, an attacker can * paper 8/24 (7) create a modified version of * More on Encryption askslashdot someone's public key that will * Also by Hemos 1/27 force a sender to encrypt messages awards to that person AND to the attacker. 8/22 books Let me explain. 8/23 bsd When Network Associates joined the 8/24 (3) Key Recovery Alliance, they features modified PGP to allow for 8/17 third-party key recovery. They did interviews this by supporting something called 8/22 an Additional Decryption Key (ADK). radio Normally, when a PGP user creates a 8/24 (4) PGP certificate, it contains a science single public key (as well as 8/23 (2) identifying information as to who yro the key belongs to). PGP version 5 and 6 allow the user to add OSDN additional ADKs to the certificate. Freshmeat When a sender encrypts a message to Linux.com that user, PGP will automatically SourceForge encrypt the message in both the ThinkGeek user's public key and the ADK. The Question idea is that the ADK belongs to the Exchange secret police, or the user's employer, or some organization, and that organization can intercept the encrypted message and read it. A stupid idea, but that's the sort of thing that Key Escrow demands. The flaw is that some version of PGP don't require the ADKs to be in the signed portion of the PGP certificate. What this means is that an organization can take a PGP certificate, append his ADK, and spread it out to the world. This tampered version of the certificate will remain unnoticed by anyone who doesn't manually examine the bytes, and anyone using that tampered version will automatically and invisibly encrypt all messages to the organization as well as the certificate owner. Unfortunately, the problem won't go away until all vulnerable versions of PGP are eradicated: the sender who is responsible for encrypting to the ADKs, not the recipient. Way back in 1998 a bunch of us cryptographers predicted that adding Key Escrow would make system design harder, and would result in even more security problems. This is an example of that prediction coming true. < The New Mediascape 'PGP Vulnerability Discovered' | Login/Create an Account | 131 comments | Search Discussion Threshold: The Fine Print: The following comments are owned by whoever posted them. Slashdot is not responsible for what they say. This was rumored for awhile (Score:2, Informative) by Smitty825 (smitty825@hotmail.com) on Thursday August 24, @11:09AM EDT (#4) (User #114634 Info) http://www.vuecam.com/ If I remember correctly, this was rumored that the NSA had found a way to break the PGP encryption. That's probably why they haven't discouraged the useage of it all of these years... [ Reply to This | Parent ] * Re:This was rumored for awhile by Ig0r (Score:2) Thursday August 24, @11:17AM EDT o Who is this mysterious we? by sips (Score:1) Thursday August 24, @12:11PM EDT o 1 reply beneath your current threshold. * Re:This was rumored for awhile by pointym5 (Score:1) Thursday August 24, @12:08PM EDT * My understanding is that the military controls.. by sips (Score:1) Thursday August 24, @12:13PM EDT * 3 replies beneath your current threshold. GPG? (Score:2, Interesting) by ldspartan (ld.spartan@usa.net) on Thursday August 24, @11:09AM EDT (#7) (User #14035 Info) http://www.troop474.org Although I don't use it very often personally, does anyone have any information as to if/how this vulnerability applies to GPG? -- Phil [ Reply to This | Parent ] * Re:GPG? by crow (Score:1) Thursday August 24, @11:17AM EDT * Re:GPG? by ssimpson (Score:3) Thursday August 24, @11:17AM EDT * Re:GPG? by SgtPepper (Score:2) Thursday August 24, @11:23AM EDT o 1 reply beneath your current threshold. * GnuPG not vulnerable by adric (Score:2) Thursday August 24, @11:46AM EDT * Re:GPG? by -brazil- (Score:2) Thursday August 24, @11:50AM EDT o Re:GPG? by Greyfox (Score:2) Thursday August 24, @12:12PM EDT * Re:NO! by oldmacdonald (Score:1) Thursday August 24, @11:27AM EDT * 2 replies beneath your current threshold. gpg (Score:1) by jfm3 (jfm3@mortmain.com) on Thursday August 24, @11:13AM EDT (#14) (User #2260 Info) http://www.mortmain.com Does gpg have this vulnerability? Is gpg stable, useable, and using well analyzed crypo algorithms at this point? Who do we yell "I told you so" at? (Ha ha.) [ Reply to This | Parent ] * Re:gpg by radja (Score:2) Thursday August 24, @11:21AM EDT * Re:gpg by ssimpson (Score:1) Thursday August 24, @11:30AM EDT o Re:gpg by bXTr (Score:2) Thursday August 24, @11:47AM EDT + Re:gpg by ssimpson (Score:1) Thursday August 24, @12:14PM EDT + 1 reply beneath your current threshold. ADK? Disturbing. (Score:5, Insightful) by setecastronomy (gregp01@pigspamhog_email.com) on Thursday August 24, @11:14AM EDT (#16) (User #116560 Info) Maybe I completely missed the blaring announcements, but why is it that this is the first time that I'm hearing about this ADK 'feature?' If my version of PGP is automatically including an extra key along with my own, so that the government can snoop on my encrypted mail, it should be made blatantly clear, every time I generate a key. Or maybe I'm missing something obvious? --- Remove all references to mud-dwelling quadrupeds to email me. [ Reply to This | Parent ] * Re:ADK? Disturbing. by pallex (Score:1) Thursday August 24, @11:21AM EDT * Re:ADK? Disturbing. by ssimpson (Score:3) Thursday August 24, @11:51AM EDT * Re:ADK? Disturbing. by benedict (Score:2) Thursday August 24, @12:07PM EDT * 1 reply beneath your current threshold. Can we ask someone within PGP? (Score:2, Interesting) by hvoss (brother-john@jazzter.xs4all.nl) on Thursday August 24, @11:17AM EDT (#17) (User #91741 Info) http://www.xs4all.nl/~hvoss Does anybody have a good contact within PGP (pref. close to Phil Zimmerman) and get them to comment on this? (Like how can this be detected, other ways to safe guard against this.... etc.). Hans Voss --- Can't think of anything fetchy right now [ Reply to This | Parent ] Re:Can we ask someone within PGP? (Score:4, Informative) by ssimpson (s.simpson(at)mia.co.uk) on Thursday August 24, @11:27AM EDT (#48) (User #133662 Info) http://www.scramdisk.clara.net/ Will Price, Director of Engineering, PGP Security, Inc. has been alerted and is looking into it - he expects to report back to PGP-USERS mailing list Thursday. [ Reply to This | Parent ] Lawsuit (Score:5, Funny) by bwt on Thursday August 24, @11:18AM EDT (#22) (User #68845 Info) http://bioinformatics.ucsf.edu/bwtaylor I have copyrighted works under protected with PGP. I did not concent to the TPM I use being circumvented. Bruce's description of this vulnerability is clearly a circumvention technology that will be used to pirate my work and is thereby illegal under the DMCA. I'm going to file a lawsuit against Bruce and Slashdot and anyone who links to Slashdot and anyone who reads the article and anyone who points at or otherwise refers to a person who reads the article. In fact, Bruce himself is circumvention technology, so I'm suing his parents, too, along with the major airlines, both of which have distributed Bruce. [ Reply to This | Parent ] * Re:Lawsuit by Anonymous Coward (Score:1) Thursday August 24, @11:25AM EDT * Re:Lawsuit by Anonymous Coward (Score:1) Thursday August 24, @11:27AM EDT * Re:Lawsuit by systemapex (Score:1) Thursday August 24, @11:30AM EDT o Re:Lawsuit by rotor (Score:1) Thursday August 24, @11:35AM EDT + 1 reply beneath your current threshold. * ya know by fluxrad (Score:2) Thursday August 24, @12:11PM EDT * Re:who the hell thinks this is funny? by rotor (Score:1) Thursday August 24, @11:37AM EDT * 1 reply beneath your current threshold. So what's the answer (Score:2, Interesting) by Gallowglass on Thursday August 24, @11:19AM EDT (#23) (User #22346 Info) If I read this correctly, only some versions of PGP have this problem with the ADKs. So does anyone know which ones have this problem? Or (better) which ones don't have this problem. And am I correct in my assumption that PGP remains OK as long as you don't create an ADK? Or am I misreading the message? As to it being a stupid idea, I have to disagree. There are cases where it is important to allow someone else access to the data. For example, in business affairs. If the holder of say the secret ingredients to Drambuie (nectar of the Gods, yum, yum!) had the recipe encrypted and suddenly dropped dead, what then? If the only copy is encrypted and no-one else has the key, then the recipe is lost and the company folds. [ Reply to This | Parent ] Re:So what's the answer (Score:5, Informative) by ssimpson (s.simpson(at)mia.co.uk) on Thursday August 24, @11:25AM EDT (#43) (User #133662 Info) http://www.scramdisk.clara.net/ If I read this correctly, only some versions of PGP have this problem with the ADKs. So does anyone know which ones have this problem? Or (better) which ones don't have this problem. From the authors original message: PGP-2.6.3ia UNIX (not vulnerable - doesn't support V4 signatures) PGP-5.0i UNIX (not vulnerable) PGP-5.5.3i WINDOWS (VULNERABLE) PGP-6.5.1i WINDOWS (VULNERABLE) GnuPG-1.0.1 UNIX (not vulnerable) And am I correct in my assumption that PGP remains OK as long as you don't create an ADK? Or am I misreading the message? NO! The problem is that ANYONE can create an ADK on the end of your existing PGP public key! [ Reply to This | Parent ] o Re:So what's the answer by jovlinger (Score:1) Thursday August 24, @12:07PM EDT * Re:So what's the answer by Sneakums (Score:2) Thursday August 24, @11:30AM EDT * Re:So what's the answer by CodeMonky (Score:1) Thursday August 24, @11:32AM EDT Wait, Wait! (Score:1) by Signal 11 (signal11@mediaone.net?Subject=2sexy4myshell) on Thursday August 24, @11:19AM EDT (#24) (User #7608 Info) Okay, everybody take a deep breath. Now, how many of use are using PGP instead of GPG? Okay, those of you who aren't panic. dd if=/dev/random bs=1024 count=10 | mail -s "Green Crow" spook@nsa.gov [ Reply to This | Parent ] * I'm not panic by tswinzig (Score:1) Thursday August 24, @11:31AM EDT o 2 replies beneath your current threshold. * 3 replies beneath your current threshold. So just use "authorized" keys. (Score:3, Informative) by saforrest (saforrest@student.math.uwaterloo.ca) on Thursday August 24, @11:20AM EDT (#25) (User #184929 Info) http://forrest.cx/ I agree this is a problem, but it doesn't render PGP useless. Just make sure, when you get someone's public key, that it comes from an "authentic" source. [ Reply to This | Parent ] * Re:So just use "authorized" keys. by ssimpson (Score:2) Thursday August 24, @12:03PM EDT Sue Him ! (Score:3, Funny) by Fruny (*@*.*) on Thursday August 24, @11:20AM EDT (#27) (User #194844 Info) He has illegally circumvented a carefully designed protection mechanism ! His discovery will cause bazillions of dollars to be lost to crime and piracy. Worse even, sites such as Slashdot freely link to this information, destroying a successful business model (namely e-commerce) ! Don't let him get away with it, protect our right to profit ! And while you are at it, imprison all mathematicians who might find ways to break our precious cipher systems by finding a way to factor large numbers (Sounds stupid, but wouldn't there be legal action in such a case ? [ Reply to This | Parent ] * Re:Sue Him ! by arivanov (Score:2) Thursday August 24, @11:58AM EDT o Re:Sue Him ! by Evangelion (Score:1) Thursday August 24, @12:03PM EDT Any known exploits? (Score:2) by crow on Thursday August 24, @11:21AM EDT (#30) (User #16139 Info) http://www.cs.dartmouth.edu/~crow/ Is there any evidence of this being used in the field? Obviously people have tested the bug once it was reported, but has anyone used it in evesdropping? It should be easy enough to write a program to check to see if any archived mail has the extra keys. [ Reply to This | Parent ] Answers about GnuPG (Score:5, Informative) by ssimpson (s.simpson(at)mia.co.uk) on Thursday August 24, @11:22AM EDT (#32) (User #133662 Info) http://www.scramdisk.clara.net/ See below a message from A.Back. Basically GnuPG is NOT a victim of this "attack". > -----Original Message----- > From: Adam Back [mailto:adam@cypherspace.org] > Sent: 24 August 2000 15:12 > To: Ross.Anderson@cl.cam.ac.uk > Cc: ukcrypto@maillist.ox.ac.uk; ietf-openpgp@imc.org > Subject: Re: Serious bug in PGP - versions 5 and 6 > > > > Ross Anderson writes on uk-crypto: > > Ralf Senderek has found a horrendous bug in PGP versions 5 and 6. > > > > [...] > > > > He's written a paper on his work and it's at > > > > http://senderek.de/security/key-experiments.html > > > > Since NAI joined the Key Recovery Alliance, PGP has supported > > "Additional Decryption Keys" which can be added to a public key. > > > > The sender will then encrypt the session key to these as well as to > > your main public key. The bug is that some versions of PGP respond > > to ADK subpackets in the non-signed part of the public key data > > structure. The effect is that GCHQ can create a tampered version of > > your PGP public key containing a public key whose corresponding > > private key is also known to themselves, and circulate it. People > > who encrypt traffic to you will encrypt it to them too. > > Amazing, and really unfortunate. Those of us who invested large > amounts of effort in ensuring the ADK subpackets were not included in > the ietf openPGP standard can be pleased we succeeded -- otherwise > gnuPG and other implementations may now also have contributed to this > risk. As it is gnuPG doesn't honor ADK requests, and all the rfc2440 > says about them is: > > 10 = placeholder for backward compatibility > > At the time I was suggesting that if PGP really must insist on > creating software to escrow communications (the primary argument being > that people didn't want to lose access to the stored mail as opposed > to being able to have designated third parties snooping mail in > transit) they should use storage key escrow. > > My main premise was that communication key escrow is too risky because > an outside attacker gets the plaintext: > http://www.cypherspace.org/~adam/cdr/ "Keys used to encrypt email which is transmitted over the Internet are more valuable to an attacker than keys used to encrypt stored files because of the relative ease with which an attacker can obtain copies of emailed ciphertext. Stored encrypted files in contrast are protected by all the physical security systems the company is relying on to protect it's paper files, plaintext data stored on disks, and backup tapes. [...]" There was also lots of political discussion of how unwise it was for PGP to create a escrow infrastructure which could as easily be used by governments as by SEC companies to archive their employees communications. And people quoting Phil Zimmermann a few years earlier complaining about ViaCrypt's PGP4 for business variant which had "escrow" in the form of a third party "encrypt-to-self" config file setting. And I believe I recall the NSA or some other US government body picking up on the CMR / ADK mechanism and holding it up as evidence against the claim that key recover was complex ... "see PGP did it, this works". > It's of scientific interest because it spectacularly confirms a > prediction made by a number of us in the paper on `The Risks of Key > Recovery, Key Escrow, and Trusted Third-Party Encryption' > that key escrow would make it > much more difficult than people thought to build secure systems. Yes. It really highlights the truth in the statement about the new risks introduced by adding key escrow. Adam [ Reply to This | Parent ] This is no surprise (Score:5, Insightful) by Randseed on Thursday August 24, @11:23AM EDT (#38) (User #132501 Info) This is absolutely no surprise. It's also inconceivable that this is simply an honest bug. It's a backdoor. PGP 5.x was, is, and will continue to be a screwup. * They deliberately changed the command line interface to break every PGP-interoperable tool out there. * They released the Windows version months before the UNIX version. * When they finally were releasing the UNIX versions, they were binary-only. * Eventually, they got around to releasing the source code to the world. This was supposedly because of legal concerns, but that explanation doesn't really hold water. The binaries were released and restricted to the U.S. The source code was written in book form and exported, then to be scanned in, which was legal. Of course, the binaries made it out of the U.S. in about 45 minutes. The source code could have easily been released and restricted to the U.S., but wasn't. This didn't sound right at the time either. * They deliberately broke interoperability with older versions of PGP, which in effect forced people to upgrade. Because they didn't release source code, people were upgrading with binary-only versions. Anybody searching the Cypherpunks archives from around the time PGP 5.0 was released can find several large threads on these topics. So, again, it doesn't come as a surprise that PGP Incorporated is a government shill organization, particularly after they joined the KRAp. Screw them. They and the government can go fuck themselves. [ Reply to This | Parent ] * Re:This is no surprise by arivanov (Score:3) Thursday August 24, @11:54AM EDT You're too late (Score:2, Funny) by Vanders (vanders@NO-SPAM-TA.shagged.org) on Thursday August 24, @11:25AM EDT (#40) (User #110092 Info) http://www.vanders.pwp.blueyonder.co.uk We have already read all of your Emails. Thank you for your cooperation. Please stay in your seat, someone will soon arrive to collect you for processing. Yours, MIB This .sig here until i think of something funny. [ Reply to This | Parent ] This is worrying, but: (Score:4, Informative) by phaze3000 (SPAMsamNOT@dontgivea.fuhq.net) on Thursday August 24, @11:29AM EDT (#53) (User #204500 Info) * GNUPG isn't affected - so those of us who like a software free-as-in-speech don't have an problem. * It can only affect you if you get a key from an untrusted source. For most /.ers this won't be an issue. So basically, don't panic just yet. Of course, this will no doubt start a number of 'many eyes of open-source' arguments. -- Piracy is a vicitmless crime, like punching someone in the dark. -- Nelson, the Simpsons [ Reply to This | Parent ] * Re:This is worrying, but: by segmond (Score:1) Thursday August 24, @11:55AM EDT * Yeah, but... by crisco (Score:1) Thursday August 24, @11:59AM EDT * Re:This is worrying, but: by pi31415 (Score:2) Thursday August 24, @12:04PM EDT Implications for digital signatures? (Score:1) by saforrest (saforrest@student.math.uwaterloo.ca) on Thursday August 24, @11:35AM EDT (#65) (User #184929 Info) http://forrest.cx/ What are the implications of this vulnerability for digital signatures? The standard thing to do when Bob is "signing" a message is for Bob to encrypt it with his private key. Then when Jill gets the message, she decrypts it using Bob's public key, and therefore knows it's from him. Now, if Jill is using a hypothetical hacked up version of Bob's public key, does this mean that Joe Random Hacker can send messages that appear to come from Bob, since the public key is associated both with Bob and the Joe's bogus "ADK"? [ Reply to This | Parent ] Called Them (Score:1) by augustz (azajonc@pomona.edu) on Thursday August 24, @11:36AM EDT (#69) (User #18082 Info) Forwarded, forwarded and forwarded again. Sales forwards to technical support forwards to sales. PGP has no problems, no there are no alternatives to PGP. If anyone else thinks they will have better luck give them a call at 888-347-3925, would love to hear their perspective. [ Reply to This | Parent ] Look at the name (Score:1) by funk_phenomenon (iwish@musician.org) on Thursday August 24, @11:36AM EDT (#71) (User #162242 Info) It's called Pretty Good Privacy. I mean, the name was its fate. Guess it applies truly now though. It sounds funny when it applies to other areas, such as Pretty Good Security, or Pretty Good Doctor, though. I know the name has nothing to do with the way it works (well now it does), but it's a good note. Also, there was a question on Jeopardy in The Internet category on what PGP stood for, last night. Interesting. Even the samurai have teddy bears, and even the teddy bears get drunk [ Reply to This | Parent ] * Re:Look at the name by Whistler007 (Score:1) Thursday August 24, @11:53AM EDT Hold on (Score:2, Insightful) by jaa on Thursday August 24, @11:37AM EDT (#72) (User #22623 Info) I keep hearing that this version is unaffected, and that version is unaffected. Aren't all of us affected: "the sender who is responsible for encrypting to the ADKs, not the recipient." Thus, if someone with a broken version of PGP sends me encrypted email, they might also encrypt to an adversary. Am I missing something? [ Reply to This | Parent ] * Re:Hold on by arivanov (Score:2) Thursday August 24, @12:06PM EDT Would Updating Keyservers Help? (Score:1) by Brian Ristuccia (brianr-slashdot.org@osiris.978.org) on Thursday August 24, @11:40AM EDT (#76) (User #2238 Info) http://brianr.978.org/ Wouldn't the impact of this vunerability be reduced significantly if the various public keyservers were reconfigured to reject keys uploaded with unsigned ADK's? Mirrors: CSS and LiViD, Cyber Patrol Info [ Reply to This | Parent ] Explanation of the problem (Score:3, Informative) by sde1000 (steve@greenend.org.uk) on Thursday August 24, @11:57AM EDT (#98) (User #10806 Info) http://www.cl.cam.ac.uk/~sde1000/ The reason that this vulnerability in PGP is serious is that you can't fix it by updating your copy: you have to ensure that everybody who might send you encrypted messages has a copy of PGP without the ADK bug. This is difficult, especially when you don't know who your correspondants are going to be ahead of time. Here is a summary of Ralf's paper that I wrote while reading it yesterday: When a PGP key-pair is generated, the public key is stored in a file as a number of typed 'packets': the key itself, a userid, etc. One of these packets is a signature of the previous packets made with the private key, to bind them together (so that, for example, the userid cannot be changed). In PGP version 3 files, it's as simple as that. In PGP version 4 files, the signature packet contains some extra fields: two sets of 'subpackets'. One set of subpackets is included in the hash, and therefore cannot be tampered with. The other is not included in the hash. Some versions of PGP allow "Additional Decryption Keys" to be specified for public keys. They are specified by including the additional key identity in a subpacket in the signature. The idea is that when you create a key pair and sign the public part, you sign the identities of any ADKs that you want to use. This is supposed to prevent ADKs from being specified without the consent of the holder of the private key. Unfortunately, some versions of PGP respond to ADK subpackets in the non-hashed part of the signature. This is a blatant bug. They treat them exactly as if they were hashed, i.e. they show up as ADKs in the list of 'key properties', and messages encrypted to the public key include packets allowing the session key to be obtained by holders of the ADKs. Tested versions of PGP: * PGP-2.6.3ia UNIX (not vulnerable - doesn't support V4 signatures) * PGP-5.0i UNIX (not vulnerable) * PGP-5.5.3i WINDOWS (VULNERABLE) * PGP-6.5.1i WINDOWS (VULNERABLE) * GnuPG-1.0.1 UNIX (not vulnerable - doesn't support ADKs) The problem won't go away until all vulnerable versions of PGP are retired, since it's the sender who is responsible for encrypting to the ADKs, not the recipient. As far as I can tell, nobody has done the experiment of uploading a modified signature packet to a keyserver yet - will it replace the existing signature packet, or be ignored? (Or possibly be stored in addition, in which case more experiments need to be done: what will various versions of PGP do if given keys with multiple self-signatures?) More followup: I've found the bug in the PGP-6.5.1i-beta2 source code. I'm fairly sure it will be identical in all the other vulnerable versions. In file libs/pgpcdk/priv/keys/keys/pgpRngPub.c, I see two functions: one called ringKeyFindSubpacket(), which finds a subpacket from a self-signature packet, and ringKeyAdditionalRecipientRequestKey(), which uses ringKeyFindSubpacket() to search for ADK subpackets. ringKeyFindSubpacket() is declared as follows: PGPByte const * ringKeyFindSubpacket (RingObject *obj, RingSet const *set, int subpacktype, unsigned nth, PGPSize *plen, int *pcritical, int *phashed, PGPUInt32 *pcreation, unsigned *pmatches, PGPError *error); In particular, the "phashed" parameter is used to return whether the subpacket was in the hashed region. Now, looking at the call in ringKeyAdditionalRecipientRequestKey() I see this: krpdata = ringKeyFindSubpacket (obj, set, SIGSUB_KEY_ADDITIONAL_RECIPIENT_REQUEST, nth, &krdatalen, &critical, NULL, NULL, &matches, error); ...the "phashed" value isn't checked (or even asked for)! Ok - it's an obvious implementation bug, and the bug itself should be easy to fix. I won't comment on the wisdom of designing in ADKs in the first place; the pro Read the rest of this comment... [ Reply to This | Parent ] Re:That's why I'm part of the GNU Generation. . . (Score:2) by Sneakums (sneakums@eircom.net) on Thursday August 24, @11:23AM EDT (#36) (User #2534 Info) http://homepage.eircom.net/~sneakums/ From what I can make of the section regarding GnuPG, it doesn't warn about the presence of the ADK. However, it places but one session key in the cryptogram, a key only recoverable using the user's private key. But if you get a contaminated version-4 public key, GnuPG will not warn you about it. You should check any and all public keys that you use as decribed in the article. I'm sure the GnuPG team will not be long in adding functionality to do this automatically. -- "Where, where is the town? Now, it's nothing but flowers!" [ Reply to This | Parent ] Re:Open Source at it's best (Score:2) by MartinG (martin@wrasse.daemon.co.uk) on Thursday August 24, @11:28AM EDT (#51) (User #52587 Info) PGP is not open source. GPG, the GNU equivalent of PGP _is_ open source, and does not have this vunerability. As for the police here in the UK, thats a whole other story, and if you ask me Mr Straw has no idea what problems he is creating for the police in the long term with his RIP bill either... but that's another story for another day. -- MartinG To mail me: echo $fakeaddress | sed s/daemon/demon/ [ Reply to This | Parent ] * Re:Open Source at it's best by Ded Bob (Score:1) Thursday August 24, @12:07PM EDT * 1 reply beneath your current threshold. Re:Open Source at it's best (Score:1) by sheldon on Thursday August 24, @11:29AM EDT (#54) (User #2322 Info) http://www.sodablue.org Too many cooks spoil the broth, but at least no one person is to blame. :-) [ Reply to This | Parent ] * 1 reply beneath your current threshold. Re:Open Source at it's best--not (Score:2, Insightful) by Anonymous Coward on Thursday August 24, @11:30AM EDT (#59) The #1 problem with the "million monkeys" model of software development and testing is that all it does is deliver, in a short amount of time, code created by monkeys. I'd much rather have a smaller number of people working much more intensively on something, ala the ongoing OpenBSD security audit, to catch problems before anyone is burned. "Sure, the bridge fell down, but look at how quickly we re-engineered and rebuilt it!" is cold comfort to those who were on the bridge when it collapsed. [ Reply to This | Parent ] Re:incredible prediction (Score:1) by SecurityGuy on Thursday August 24, @11:43AM EDT (#79) (User #217807 Info) Congratulations on your fine grasp of the obvious. Please realize that policy makers, whether corporate or governmental, don't always have the background to recognize what you see as obvious. There's been a deluge of "Just do $FOO!" solutions of late, most of which are obviously flawed. These range from adding a "V chip" to consumer electronics to remedy deficient parenting, attempts to regulate internet content (again, to remedy deficient parenting), suing person A because person B used A's service to commit a crime (hi, MPAA & RIAA!), to making it more difficult for law abiding citizens to protect themselves (you DO have a right to do this, you know) while failing to prosecute and adequately punish criminals. Web "privacy" is addressed by privacy policies which nearly always say "This policy grants you no rights, and we can change it whenever we want anyway." None of these solve the underlying problem, but are used in spite of "obvious" flaws because it was easier than fixing the problem correctly or has good PR value. There are quite a few out there who don't understand that system complexity correlates negatively with system security. Yes, it's obvious, but say it often and to anyone who will listen. When *everyone* notices the obvious statements, then you can stop. [ Reply to This | Parent ] Re:You just thought you were safe! (Score:1) by sqlrob on Thursday August 24, @11:56AM EDT (#95) (User #173498 Info) Yeah, right So you are a cryptologist that can guarantee you didn't somehow weaken the algorithm with a bad key choice or rounding error? I know I'm not. That's one reason I haven't done cryptography software. [ Reply to This | Parent ] Re:Bald-Faced Alarmism (Score:1) by lurker786 on Thursday August 24, @11:56AM EDT (#96) (User #128178 Info) No, this is not an old issue. The point is *not* that your employer/the CIA/X can read your email (scary though it may be). The point is that JoeHacker(anyone) can modify your public key so that *he* can read your mail. Big diff. [ Reply to This | Parent ] Re:Bald-Faced Alarmism (Score:1) by -brazil- on Thursday August 24, @11:57AM EDT (#99) (User #111867 Info) http://www.in.tum.de/~borgward/goodies.html You're wrong. There *was* a new flaw discovered in the key escrow mechanism of PGP that made it vulnerable to *anyone*, not just those with a "legitimate" third party key. Read the post. Michael "Brazil" Borgwardt --- Member of #WASHU# and Her would-be guinea-pig. [ Reply to This | Parent ] Re:Bald-Faced Alarmism (Score:1) by ssimpson (s.simpson(at)mia.co.uk) on Thursday August 24, @12:00PM EDT (#103) (User #133662 Info) http://www.scramdisk.clara.net/ BUZZZ...You're plain wrong I'm afraid. This story isn't discussing the use/deployment of ADK, but rather that someone can add an ADK packet to any PGP key without corrupting the key or alerting the software: the ADK packet isn't covered by the hash function. Key escrow good or bad is an interesting topic, but this story is about a damn big hole. [ Reply to This | Parent ] Secrecy: we need privacy and protection from THEM (Score:2) by Frank T. Lofaro Jr. on Thursday August 24, @12:00PM EDT (#104) (User #142215 Info) * Privacy. Want us to see EVERYTHING (and I mean EVERYTHING) you do?... Didn't think so. * Because so many things that shouldn't be illegal, are. Because so many things you have the moral right to do will still get you punished (harrassed, fired, sued, imprisoned, assassinated, etc). If you say something The Man doesn't like, you might really begin to appreciate secrecy. [ Reply to This | Parent ] * 1 reply beneath your current threshold. Re:Bald-Faced Alarmism (Score:1) by Suydam (brian@SPAMR00LZ.rickjames.sapien.net) on Thursday August 24, @12:01PM EDT (#105) (User #881 Info) http://www.have-a-brew.com/ This post was not about whether or not Key Escrow was good from the standpoint of privacy and/or morality. Rather, it's about a vulnerability in Key Escrow's current implementation. So frankly, I'm glad it's posted here. Man + Beer = More Man. [ Reply to This | Parent ] Re:GPG may not support this, but... (Score:1) by The Man on Thursday August 24, @12:01PM EDT (#106) (User #684 Info) http://foobazco.org GPG may not support this; however, what if a key created with GPG had this ADK appended to it and a PGP client was used to interpret and use the key?? Is there any chance in the world of general key misuse due to the fact that PGP is a rather popular client?? Yes of course. So 1) Don't use PGP5/6, 2) Don't accept anything from anyone who uses PGP5/6, and 3) Make certain all keys come from known sources. Of course, since the vulnerable versions of PGP are the Microsoft ones, this shouldn't really be a problem. After all, nobody who uses Microsoft products is really worth communicating with anyway, securely or not. [ Reply to This | Parent ] Re:You just thought you were safe! (Score:2) by Frank T. Lofaro Jr. on Thursday August 24, @12:03PM EDT (#110) (User #142215 Info) And unless you know a hell of a lot of intricate high-level mathematics, the NSA breaking your code will be the LEAST of your problems. Probably any halfway decent cryptoanalyst could break your code trivially. Crypto ain't easy folks. [ Reply to This | Parent ] * 19 replies beneath your current threshold. The greatest disloyalty one can offer to great pioneers is to refuse to move an inch from where they stood. All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2000 OSDN. [ home | awards | supporters | rob's homepage | contribute story | older articles | OSDN | advertising | past polls | about | faq ]