IP: RE: When will they learn

[Dave Farber <farber () cis upenn edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> From: "Eric D. Williams" <eric () infobro com>
> To: "'farber () cis upenn edu'" <farber () cis upenn edu>
> Subject: RE: When will they learn
> Date: Fri, 25 Aug 2000 14:51:53 -0400
>
> I hear ya Dave.  But, with the recent disclosure of vulnerabilities in the 
> PGP
> implementations which support Additional Decryption Keys (ADKs) we may have a
> new issue concerning (at least) encypted IPM contents.   Whoaa, wait until 
> the
> SEC get a hold of that bug-a-boo. See attached.
>
> Eric
>
> Eric Williams, Pres.
> Information Brokers, Inc.
> http://www.infobro.com/
>
>                     PGP Public Key
>    http://new.infobro.com/KeyServ/EricDWilliams.asc
> Finger Print: 1055 8AED 9783 2378 73EF  7B19 0544 A590 FF65 B789
>
> From: Adam Back <adam () cypherspace org>
> To: "Ross.Anderson () cl cam ac uk" <Ross.Anderson () cl cam ac uk>
> Cc: "ukcrypto () maillist ox ac uk" <ukcrypto () maillist ox ac uk>, 
> "ietf-openpgp () imc org" <ietf-openpgp () imc org>
> Subject: Re: Serious bug in PGP - versions 5 and 6
> Date: Thu, 24 Aug 2000 11:24:48 -0400
> MIME-Version: 1.0
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: 7bit
>
>
> Ross Anderson writes on uk-crypto:
> > Ralf Senderek has found a horrendous bug in PGP versions 5 and 6.
> >
> > [...]
> >
> > He's written a paper on his work and it's at
> >
> >         http://senderek.de/security/key-experiments.html
> >
> > Since NAI joined the Key Recovery Alliance, PGP has supported
> > "Additional Decryption Keys" which can be added to a public key.
> >
> > The sender will then encrypt the session key to these as well as to
> > your main public key. The bug is that some versions of PGP respond
> > to ADK subpackets in the non-signed part of the public key data
> > structure.  The effect is that GCHQ can create a tampered version of
> > your PGP public key containing a public key whose corresponding
> > private key is also known to themselves, and circulate it. People
> > who encrypt traffic to you will encrypt it to them too.
>
> Amazing, and really unfortunate.  Those of us who invested large
> amounts of effort in ensuring the ADK subpackets were not included in
> the ietf openPGP standard can be pleased we succeeded -- otherwise
> gnuPG and other implementations may now also have contributed to this
> risk.  As it is gnuPG doesn't honor ADK requests, and all the rfc2440
> says about them is:
>
>        10 = placeholder for backward compatibility
>
> At the time I was suggesting that if PGP really must insist on
> creating software to escrow communications (the primary argument being
> that people didn't want to lose access to the stored mail as opposed
> to being able to have designated third parties snooping mail in
> transit) they should use storage key escrow.
>
> My main premise was that communication key escrow is too risky because
> an outside attacker gets the plaintext:
>
>         http://www.cypherspace.org/~adam/cdr/
>
> "Keys used to encrypt email which is transmitted over the Internet are
> more valuable to an attacker than keys used to encrypt stored files
> because of the relative ease with which an attacker can obtain copies
> of emailed ciphertext. Stored encrypted files in contrast are
> protected by all the physical security systems the company is relying
> on to protect it's paper files, plaintext data stored on disks, and
> backup tapes. [...]"
>
> There was also lots of political discussion of how unwise it was for
> PGP to create a escrow infrastructure which could as easily be used by
> governments as by SEC companies to archive their employees
> communications.
>
> And people quoting Phil Zimmermann a few years earlier complaining
> about ViaCrypt's PGP4 for business variant which had "escrow" in the
> form of a third party "encrypt-to-self" config file setting.
>
> And I believe I recall the NSA or some other US government body
> picking up on the CMR / ADK mechanism and holding it up as evidence
> against the claim that key recover was complex ... "see PGP did it,
> this works".
>
> > It's of scientific interest because it spectacularly confirms a
> > prediction made by a number of us in the paper on `The Risks of Key
> > Recovery, Key Escrow, and Trusted Third-Party Encryption'
> > <http://www.cdt.org/crypto/risks98/> that key escrow would make it
> > much more difficult than people thought to build secure systems.
>
> Yes.  It really highlights the truth in the statement about the
> new risks introduced by adding key escrow.
>
> Adam

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOabbKUcjSsn74l54EQK9mQCg0N2FZUHXd9LgtzD86EvItV33mVgAoNq+
1Rw9A0Gc630YU+AMOTn8XR2B
=g+LV
-----END PGP SIGNATURE-----