Bugtraq mailing list archives
(Fwd) A closer look on the advisory
From: Stefan Kelm <kelm () secorvo de>
Date: Mon, 28 Aug 2000 13:19:55 +0200
Here's another comment from Ralf on the CERT Advisory: ------- Forwarded message follows ------- Date sent: Sun, 27 Aug 2000 12:52:39 +0100 (GMT) From: Ralf Senderek <ralf () senderek de> Subject: A closer look on the advisory -----BEGIN PGP SIGNED MESSAGE----- Hello Cert, let me explain some of my previous remarks to impove your advisory. My last remark was somewhat ignoring the textual context, sorry I should have looked closer, but as you may know, this was a busy day. But let me come to your conditions which will be globally cited and will be important for users to recognize their risks. * the sender must be using a vulnerable version of PGP * the send must be encrypting data with a certificate modified by the attacker * the sender must acknowledge a warning dialog that an ADK is associated with the certificate * the sender have the key for the bogus ADK already on their local keyring * the bogus ADK must be signed certificate by a CA that the sender trusts * the attacker be able to obtain the ciphertext sent from the sender to the victim I cannot verify your third condition for every running PGP in the field. Can you? I think condition five is the one I would not accept. And people might think they need not be concerned if they are not trusting ADKs. To prevent another disaster: Back in the old times before those clickable damage traps came up trust had something to do with using your secret key. When getting a new key the user had to do something which was not done in half a second. Adding a key without using your secret key would bring the key into the keyring but it would still be handled as untrusted. Accepting it as a trusted key would have required self-certification or having authorized another key as an introducer which would require using your secret key as well. Today exposing yourself to the risk I had described would require only getting the manipulated key, and pressing the OK-button and because no secret key is used one should not call this trust. That is why no trust is neccessary to make the manipulation work. The bogous ADK just has to be present in the key ring, that's all. As you may have noticed neither of my testkeys has a signature of any other key except key-B2 and key-B3 which are designed to test if certificates made by certification authorities can be used for contamination as well. Another point which you do not emphasize enough ist the vulnerabilty of RSA key. Or may I say the lack of it. Your statement was : "The recipient may use any type of PGP key, including RSA and Diffie-Hellman. The version of PGP used by the recipient has no impact on the attack." You failed to tell the people that neither RSA nor Diffie-Hellman is the problem but Version-4-self-signatures, as I had discovered. To produce a Version-4-RSA-key from a Version-3-RSA-key is possible but it had to be done with a key-editor I never saw the transformation happen automatically as I documented in my paper. So the difference between RSA and Diffie-Hellman is important, because all DH-keys are Version-4 and vulnerable and only those RSA-keys which have been tampered with and whose key-ID had changed in the manipulation can be contaminated. The vast majority of RSA-key users who know their key-ID well can be sure that their key is not affected after having checked that it has an old-style self-signature. Please do not add to the denigration of RSA-keys, they are different in respect to the ADK-problem. All this information was in my paper but I hope I have pointed out some important details. Ralf Senderek *.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.* * Ralf Senderek <ralf () senderek de> * What is privacy * * http://senderek.de * without * * Tel.: 02432-3960 Sandstr. 60 D-41849 Wassenberg * PGP-2.6.3i? * *.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.* -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBOakAwymc/oJTgiNJAQEhegQArBxajjzhyAVER8hAOz4V/JOlucMiNDLR BaEFavgOla8O7X5o7a0ycZsVPrYa+EnPlkrhWOqghQ/GFSE05VZt0wg64JAcEpZw MlhBeQMAd4w/O+rhD+SYntVG5RjpCc47yI/NwGscM9rF9vN2WjzJ6O52GobBqsBW q6cf6KwJu2k= =Gzsr -----END PGP SIGNATURE----- ------- End of forwarded message ------- -------------------------------------------------------- PKI-Symposium, 10.-11.Oktober 2000, www.pki-symposium.de -------------------------------------------------------- Dipl.-Inform. Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Albert-Nestler-Strasse 9, D-76131 Karlsruhe Tel. +49 721 6105-461, Fax +49 721 6105-455 E-Mail kelm () secorvo de, http://www.secorvo.de ------------------------------------------------------- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B
Current thread:
- (Fwd) A closer look on the advisory Stefan Kelm (Aug 28)