FC: Note from cryptanalyst who discovered PGP bug

[Declan McCullagh <declan () well com>]

---
Background: http://www.politechbot.com/p-01347.html
---



Date: Sat, 26 Aug 2000 17:29:05 +0100 (GMT)
From: Ralf Senderek <ralf () senderek de>

-----BEGIN PGP SIGNED MESSAGE-----


A note to the public.


I have been warning repeatedly about using newer versions of PGP for over
two years now. In a study I put on the net in August 1998 which is
also present on the PGP-International website I expressed my valuation
of the ADK-problem which came with the newer versions.
May I cite one sentence from my earlier work:

"I do not know which mechanism will prevent a user's public key to be
linked with another faked message recovery key without the user's
consent or knowledge."

I expressed my fear that this can happen and hoped that there will be
security-checking mechanisms to prevent this. But not knowing much about
the details of signatures and packages in 1998 I finally started to put
this to a test because in the meantime almost everyone got used to the
new keys.
Completing my study and making sure that everyone who repeats my tests
will get the same results I presented my study to the public on Tuesday
22nd August 2000 and informed persons working on computer security
immediately.

So I did not find a bug in the PGP-source code, that was Steve Early
working with Ross Anderson after having studied my experimental research
at Cambridge on Wednesday.
I discovered that there simply is no checking done, not even the attempt
to detect unauthorized manipulations of public keys.
This is not a bug, this is a scandal, because NAI put ADKs into PGP
without caring about simple manipulations.  Obviously there has never been
a well thought-out security strategy and most of the relevant information
the public got from NAI concerning ADKs was completely untrue as my
experiments reveal.

No quick debugging will solve this situation and the damage being done
to the reputation of PGP by everyone who supports Additional Decryption Keys.

I am opposed to Additional Decryption Keys, as you know, but I do not want
people to turn away from PGP. I would like to see people getting rid
of the ADK-problem actively by checking the keys they use and avoiding
the new signature type.

"Use PGP-classic in a reliably secure environment." That would be my
advice if I had 49 characters left on the telegram.

Ralf Senderek

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOafgHSmc/oJTgiNJAQGIIQQAunpgXp5Wy1sI4eSyHR0GMw8Z1zSJkRJY
kogu1UPbeTsO9jDV9o5WHbPR+9+Ct+KIaQJmpvkqozlW34CjTCaMinJq84M44ghx
AMKS0TWStpdbtCvZJUJxyLZEIY2CmOS1aIhbJm2HwaU+/WtmGwiHgiNndD9bIoC7
EFYLTmifsMs=
=9V88
-----END PGP SIGNATURE-----




-------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
You may redistribute this message freely if it remains intact.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/
-------------------------------------------------------------------------