Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

(Fwd) A closer look on the advisory

From: Stefan Kelm <kelm () secorvo de>
Date: Mon, 28 Aug 2000 13:19:55 +0200
Here's another comment from Ralf on the CERT Advisory:

------- Forwarded message follows -------
Date sent:              Sun, 27 Aug 2000 12:52:39 +0100 (GMT)
From:                   Ralf Senderek <ralf () senderek de>
Subject:                A closer look on the advisory

-----BEGIN PGP SIGNED MESSAGE-----

Hello Cert,

let me explain some of my previous remarks to impove your advisory.

My last remark was somewhat ignoring the textual context, sorry I
should have looked closer, but as you may know, this was a busy day.

But let me come to your conditions which will be globally cited and
will be important for users to recognize their risks.

    * the sender must be using a vulnerable version of PGP
    * the send must be encrypting data with a certificate modified by
      the attacker
    * the sender must acknowledge a warning dialog that an ADK is
      associated with the certificate
    * the sender have the key for the bogus ADK already on their local
      keyring
    * the bogus ADK must be signed certificate by a CA that the sender
      trusts
    * the attacker be able to obtain the ciphertext sent from the sender
      to the victim

I cannot verify your third condition for every running PGP in the field.
Can you?

I think condition five is the one I would not accept.
And people might think they need not be concerned if they are not
trusting ADKs. To prevent another disaster:

Back in the old times before those clickable damage traps came up
trust had something to do with using your secret key. When getting
a new key the user had to do something which was not done in half a
second. Adding a key without using your secret key would bring the key
into the keyring but it would still be handled as untrusted. Accepting
it as a trusted key would have required self-certification or having
authorized another key as an introducer which would require using
your secret key as well.
                                        
Today exposing yourself to the risk I had described would require only
getting the manipulated key, and pressing the OK-button and because
no secret key is used one should not call this trust.
That is why no trust is neccessary to make the manipulation work.
The bogous ADK just has to be present in the key ring, that's all.

As you may have noticed neither of my testkeys has a signature of any other
key except key-B2 and key-B3 which are designed to test if certificates
made by certification authorities can be used for contamination as well.


Another point which you do not emphasize enough ist the vulnerabilty of
RSA key. Or may I say the lack of it.

Your statement was :


"The recipient may use any type of PGP key, including RSA and
Diffie-Hellman. The version of PGP used by the recipient has no impact
on the attack."

You failed to tell the people that neither RSA nor Diffie-Hellman is the
problem but Version-4-self-signatures, as I had discovered.
To produce a Version-4-RSA-key from a Version-3-RSA-key is possible
but it had to be done with a key-editor I never saw the transformation
happen automatically as I documented in my paper. So the difference between
RSA and Diffie-Hellman is important, because all DH-keys are Version-4 and
vulnerable and only those RSA-keys which have been tampered with and whose
key-ID had changed in the manipulation can be contaminated. The vast
majority of RSA-key users who know their key-ID well can be sure that
their key is not affected after having checked that it has an old-style
self-signature.

Please do not add to the denigration of RSA-keys, they are different
in respect to the ADK-problem.

All this information was in my paper but I hope I have pointed out some
important details.


Ralf Senderek

*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*
* Ralf Senderek  <ralf () senderek de>                     * What is privacy *
* http://senderek.de                                    *     without     *
* Tel.: 02432-3960    Sandstr. 60   D-41849 Wassenberg  *   PGP-2.6.3i?   *
*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOakAwymc/oJTgiNJAQEhegQArBxajjzhyAVER8hAOz4V/JOlucMiNDLR
BaEFavgOla8O7X5o7a0ycZsVPrYa+EnPlkrhWOqghQ/GFSE05VZt0wg64JAcEpZw
MlhBeQMAd4w/O+rhD+SYntVG5RjpCc47yI/NwGscM9rF9vN2WjzJ6O52GobBqsBW
q6cf6KwJu2k=
=Gzsr
-----END PGP SIGNATURE-----

------- End of forwarded message -------

--------------------------------------------------------
PKI-Symposium, 10.-11.Oktober 2000, www.pki-symposium.de
--------------------------------------------------------
Dipl.-Inform. Stefan Kelm
Security Consultant

Secorvo Security Consulting GmbH
Albert-Nestler-Strasse 9, D-76131 Karlsruhe

Tel. +49 721 6105-461, Fax +49 721 6105-455
E-Mail kelm () secorvo de, http://www.secorvo.de
-------------------------------------------------------
PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B
Previous By Date Next
Previous By Thread Next

Current thread: