Information Security News mailing list archives
Pretty Good Privacy?
From: InfoSec News <isn () C4I ORG>
Date: Thu, 31 Aug 2000 23:15:50 -0500
********************************************************************* Ugly Mistake for Pretty Good by Jay D. Dyson "If you think cryptography can solve your problem, then you don't understand your problem and you don't understand cryptography." -- Bruce Schneier Pretty Good Privacy (PGP) has a long and colorful history. Since its debut in 1991 by cryptographer Phil Zimmermann, PGP attracted immediate attention. The notion of "public key encryption for the masses" achieved instant recognition not only from privacy advocates, but the National Security Agency. Over the years, PGP stood as a bulwark for personal privacy amidst the introduction of the U.S. government's Clipper proposal and increasingly expansive wiretapping legislation. An equally rocky legal history couples with PGP's turbulent political history. Issues regarding PGP's use of the RSA public key implementation and charges of violating the U.S. International Traffic in Arms Regulations (ITAR) continually dogged both the program and its author. To stave off these complications, PGP formed strategic partnerships with ViaCrypt and MIT. Then, in 1998, Network Associates, Inc. (NAI) acquired PGP. http://www.cypherspace.org/~adam/timeline/ http://www.freedomfighter.net/crypto/pgp-history.html PGP had finally come of age. Its "banditware" reputation faded into the background, and it quickly achieved legitimacy in the eyes of corporate America. In December of 1999, PGP even earned an export license by its once-greatest nemesis -- the U.S. Government. Everything seemed rosy. However, NAI, the proud owner of PGP, also happened to belong to the Key Recovery Alliance, an organization advocating government key escrow. Though NAI disavowed its membership with the KRA in 1997, it quietly resumed ties with the organization. To that end, NAI also continued their work with Additional Decryption Keys (ADK) with PGP. ADKs, introduced as an alternative to key escrow, were touted as a feature for businesses using PGP. With ADKs, a company can add a master key to the user's public key. That way, if an employee leaves the company, the company will still be able to decrypt that employee's files. What could possibly be wrong with that? Plenty. http://www.fitug.de/debate/9811/msg00233.html http://www.cdt.org/crypto/risks98/ Shortly after ADK's 1998 inclusion into PGP, many in the cryptographic community began voicing concerns regarding its use. The most ominous among them was Ralf Senderek's evaluation that read in part: "I do not know which mechanism will prevent a user's public key to be linked with another faked message recovery key without the user's consent or knowledge." Two years later, his concern was validated. On August 24, 2000, Ralf Senderek discovered vulnerability in version 5 and 6 PGP public keys to unauthorized ADK modification. Some versions of PGP respond to ADK subpackets in the non-signed part of the public key data structure. Thus, any third party could issue a tampered copy of one's PGP public key containing their own public key. Anything encrypted on Jane User's public key would then also be encrypted on Joe Intruder's public key, effectively giving Joe access to any and all private data meant only for Jane's eyes. http://senderek.de/security/key-experiments.html http://cryptome.org/pgp-badbug.htm As Senderek points out, the problem won't go away until all vulnerable PGP versions are retired, since it's the sender responsible for encrypting to the ADKs, not the recipient. Keep in mind, the vast majority of NAI PGP users also use programs such as MS Outlook (already demonstrably insecure considering the "Melissa" and "I Love You" variants that brought such systems to their knees). Supposing they would not detect an unauthorized ADK attack if they experienced it requires no suspension of belief. The fallout of this revelation was swift. Amongst the hue and cry over Senderek's report came wholesale PGP keyserver cleansing efforts and a sudden groundswell of people speaking out against PGP's use, favoring instead other public key cryptographic programs such as Gnu Privacy Guard (GPG). Even seasoned users of the older versions of PGP questioned its continued use. "[They] became so preoccupied with whether or not they *could* that they didn't stop to think if they *should*." -- Ian Malcolm (from Jurassic Park) PGP's philosophy and use is sound; however, NAI sacrificed the core security on which every public key cryptographic system relies in its rush to implement new "value-added" features. In doing so, they have also risked hard-won confidence PGP cultivated since first distributed across the Internet. Many others, including myself, have long since abandoned use of any cryptographic system that does not make freely available its source code. This latest incident only serves to galvanize my stance. While I will continue using NAI's version of PGP as my customers may require, I will only trust the version that I have personally reviewed and compiled. This may seem backward to some, but it is essential to me. In looking back on the events of this past week, I have to concur with Senderek's latest comment: "This is not a bug, this is a scandal..." Resources Flaw found in PGP code Defect allows attacker to decrypt personal data http://www2.itworld.com/cma/ett_article_frame/0,2848,1_2310,00.html Attacking Linux To stop an attacker, think like a cracker http://www.linuxworld.com/linuxworld/lw-2000-08/lw-08-expo00-hacking.html RSA upgrading its Keon PKI security software http://www2.itworld.com/cma/ett_article_frame/0,2848,1_2347,00.html Freeware encryption as alternative to PGP GnuPG exempt from government export restrictions http://www.linuxworld.com/linuxworld/lw-1999-01/lw-01-gnupg.html ************************************************************************ ************************************************************************ About the author ---------------- Jay D. Dyson is a senior security consultant for OneSecure, Inc., a company specializing in managed network and host security services. He also serves as a part-time consultant on security issues for the National Aeronautics and Space Administration in Pasadena. He has been a system administrator for over 15 years on various platforms. ********************************************************************* ********************************************************************* CUSTOMER SERVICE You can subscribe or unsubscribe to any of your e-mail newsletters by updating your form at: http://www.itworld.com/cgi-bin/w3-msql/newsletters/subcontent12.html? For subscription changes that cannot be handled via the web, please send an email to our customer service dept: support () itworld com ********************************************************************* http://www.itworld.com ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Pretty Good Privacy? InfoSec News (Sep 01)