Apparently newer versions of PGP public keys can be compromised without the sender or receiver knowing about it unless they closely examine a few bits. Discussion on slashdot a few paragraphs down titled PGP Vulnerability Discovered http://slashdot.org/ ************ Tested versions of PGP: PGP-2.6.3ia UNIX (not vulnerable - doesn't support V4 signatures) PGP-5.0i UNIX (not vulnerable) PGP-5.5.3i WINDOWS (VULNERABLE) PGP-6.5.1i WINDOWS (VULNERABLE) GnuPG-1.0.1 UNIX (not vulnerable - doesn't support ADKs) [funny how its the windows platforms? no mention of Mac yet] ************ >From Bruce Schneier of counterpane: PGP Vulnerability A very serious PGP vulnerability was just discovered. Using this vulnerability, an attacker can create a modified version of someone's public key that will force a sender to encrypt messages to that person AND to the attacker. Let me explain. When Network Associates joined the Key Recovery Alliance, they modified PGP to allow for third-party key recovery. They did this by supporting something called an Additional Decryption Key (ADK). Normally, when a PGP user creates a PGP certificate, it contains a single public key (as well as identifying information as to who the key belongs to). PGP version 5 and 6 allow the user to add additional ADKs to the certificate. When a sender encrypts a message to that user, PGP will automatically encrypt the message in both the user's public key and the ADK. The idea is that the ADK belongs to the secret police, or the user's employer, or some organization, and that organization can intercept the encrypted message and read it. A stupid idea, but that's the sort of thing that Key Escrow demands. The flaw is that some version of PGP don't require the ADKs to be in the signed portion of the PGP certificate. What this means is that an organization can take a PGP certificate, append his ADK, and spread it out to the world. This tampered version of the certificate will remain unnoticed by anyone who doesn't manually examine the bytes, and anyone using that tampered version will automatically and invisibly encrypt all messages to the organization as well as the certificate owner. Unfortunately, the problem won't go away until all vulnerable versions of PGP are eradicated: the sender who is responsible for encrypting to the ADKs, not the recipient. Way back in 1998 a bunch of us cryptographers predicted that adding Key Escrow would make system design harder, and would result in even more security problems. This is an example of that prediction coming true. ***************** Conclusions So the following conclusions are inevitable : 1.Any DSS/DH-key can be manipulated to comprise new ADKs without the user's consent or knowledge. The manipulated keys perform as well as if the user had included the ADKs for himself originally. 2.RSA-keys which are transformed into the new key-format with a new self-signature can be fortified with ADKs in the same way. 3.If you want to avoid to risk those manipulations being made on your own key or on other users' keys you are well-advised to use PGP-2.6x, or PGP-Classic, which guarantees that only ADK-safe signatures will be made and which rejects to use DH-keys or RSA-keys in the new format reliably. " ____________ e-gold-list Information ____________ For rules, subscribe/unsubscribe directions, and archive locations, please visit: http://www.e-gold.com/unsecure/lists.html
