[Tech] [dj@delorie.com: PGP Vulnerability Discovered]

Christopher R.Gabriel cgabriel@softwarelibero.org
Gio 24 Ago 2000 18:04:00 CEST 

GHghghHGHGHG



----- Forwarded message from SlashZot <dj@delorie.com> -----

Delivered-To: cgabriel+slashzot@spock.linux.it
Date: Thu, 24 Aug 2000 12:00:19 -0400
To: slashzot@delorie.com
From: SlashZot <dj@delorie.com>
Subject: PGP Vulnerability Discovered
Reply-To: slashzot@delorie.com
Errors-To: nobody@delorie.com
X-Mailing-List: slashzot@delorie.com
X-Unsubscribes-To: listserv@delorie.com
Precedence: bulk

PGP Vulnerability Discovered

[1]Bruce Schneier, of Counterpane, sent in the word that a
[2]vulnerability has been found in PGP. He attached an
explanation below of what's going on, as well as a [3]paper
concerning the risks of key escrow.


>From Bruce:


PGP Vulnerability


A very serious PGP vulnerability was just discovered. Using
this vulnerability, an attacker can create a modified version
of someone's public key that will force a sender to encrypt
messages to that person AND to the attacker.

Let me explain.

When Network Associates joined the Key Recovery Alliance,
they modified PGP to allow for third-party key recovery. They
did this by supporting something called an Additional
Decryption Key (ADK). Normally, when a PGP user creates a PGP
certificate, it contains a single public key (as well as
identifying information as to who the key belongs to). PGP
version 5 and 6 allow the user to add additional ADKs to the
certificate. When a sender encrypts a message to that user,
PGP will automatically encrypt the message in both the user's
public key and the ADK. The idea is that the ADK belongs to
the secret police, or the user's employer, or some
organization, and that organization can intercept the
encrypted message and read it.

A stupid idea, but that's the sort of thing that Key Escrow
demands.

The flaw is that some version of PGP don't require the ADKs
to be in the signed portion of the PGP certificate. What this
means is that an organization can take a PGP certificate,
append his ADK, and spread it out to the world. This tampered
version of the certificate will remain unnoticed by anyone
who doesn't manually examine the bytes, and anyone using that
tampered version will automatically and invisibly encrypt all
messages to the organization as well as the certificate
owner.

Unfortunately, the problem won't go away until all vulnerable
versions of PGP are eradicated: the sender who is responsible
for encrypting to the ADKs, not the recipient.

Way back in 1998 a bunch of us cryptographers predicted that
adding Key Escrow would make system design harder, and would
result in even more security problems. This is an example of
that prediction coming true.

    <URL:http://slashdot.org/article.pl?sid=00/08/24/155214>
[1] <REF:http://www.counterpane.com>
[2] <REF:http://senderek.de/security/key-experiments.html>
[3] <REF:http://www.counterpane.com/key-escrow.html>


This is an automated posting to slashzot@delorie.com
See http://www.delorie.com/listserv/ to be removed.

----- End forwarded message -----

Maggiori informazioni sulla lista flug-tech