Interesting People mailing list archives
IP: RE: When will they learn
From: Dave Farber <farber () cis upenn edu>
Date: Fri, 25 Aug 2000 16:46:33 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
From: "Eric D. Williams" <eric () infobro com> To: "'farber () cis upenn edu'" <farber () cis upenn edu> Subject: RE: When will they learn Date: Fri, 25 Aug 2000 14:51:53 -0400 I hear ya Dave. But, with the recent disclosure of vulnerabilities in the PGP implementations which support Additional Decryption Keys (ADKs) we may have a new issue concerning (at least) encypted IPM contents. Whoaa, wait until the SEC get a hold of that bug-a-boo. See attached. Eric Eric Williams, Pres. Information Brokers, Inc. http://www.infobro.com/ PGP Public Key http://new.infobro.com/KeyServ/EricDWilliams.asc Finger Print: 1055 8AED 9783 2378 73EF 7B19 0544 A590 FF65 B789 From: Adam Back <adam () cypherspace org> To: "Ross.Anderson () cl cam ac uk" <Ross.Anderson () cl cam ac uk> Cc: "ukcrypto () maillist ox ac uk" <ukcrypto () maillist ox ac uk>, "ietf-openpgp () imc org" <ietf-openpgp () imc org> Subject: Re: Serious bug in PGP - versions 5 and 6 Date: Thu, 24 Aug 2000 11:24:48 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Ross Anderson writes on uk-crypto:Ralf Senderek has found a horrendous bug in PGP versions 5 and 6. [...] He's written a paper on his work and it's at http://senderek.de/security/key-experiments.html Since NAI joined the Key Recovery Alliance, PGP has supported "Additional Decryption Keys" which can be added to a public key. The sender will then encrypt the session key to these as well as to your main public key. The bug is that some versions of PGP respond to ADK subpackets in the non-signed part of the public key data structure. The effect is that GCHQ can create a tampered version of your PGP public key containing a public key whose corresponding private key is also known to themselves, and circulate it. People who encrypt traffic to you will encrypt it to them too.Amazing, and really unfortunate. Those of us who invested large amounts of effort in ensuring the ADK subpackets were not included in the ietf openPGP standard can be pleased we succeeded -- otherwise gnuPG and other implementations may now also have contributed to this risk. As it is gnuPG doesn't honor ADK requests, and all the rfc2440 says about them is: 10 = placeholder for backward compatibility At the time I was suggesting that if PGP really must insist on creating software to escrow communications (the primary argument being that people didn't want to lose access to the stored mail as opposed to being able to have designated third parties snooping mail in transit) they should use storage key escrow. My main premise was that communication key escrow is too risky because an outside attacker gets the plaintext: http://www.cypherspace.org/~adam/cdr/ "Keys used to encrypt email which is transmitted over the Internet are more valuable to an attacker than keys used to encrypt stored files because of the relative ease with which an attacker can obtain copies of emailed ciphertext. Stored encrypted files in contrast are protected by all the physical security systems the company is relying on to protect it's paper files, plaintext data stored on disks, and backup tapes. [...]" There was also lots of political discussion of how unwise it was for PGP to create a escrow infrastructure which could as easily be used by governments as by SEC companies to archive their employees communications. And people quoting Phil Zimmermann a few years earlier complaining about ViaCrypt's PGP4 for business variant which had "escrow" in the form of a third party "encrypt-to-self" config file setting. And I believe I recall the NSA or some other US government body picking up on the CMR / ADK mechanism and holding it up as evidence against the claim that key recover was complex ... "see PGP did it, this works".It's of scientific interest because it spectacularly confirms a prediction made by a number of us in the paper on `The Risks of Key Recovery, Key Escrow, and Trusted Third-Party Encryption' <http://www.cdt.org/crypto/risks98/> that key escrow would make it much more difficult than people thought to build secure systems.Yes. It really highlights the truth in the statement about the new risks introduced by adding key escrow. Adam
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOabbKUcjSsn74l54EQK9mQCg0N2FZUHXd9LgtzD86EvItV33mVgAoNq+ 1Rw9A0Gc630YU+AMOTn8XR2B =g+LV -----END PGP SIGNATURE-----
Current thread:
- IP: RE: When will they learn Dave Farber (Aug 25)