Re: SOT: Gaping hole in NAI PGP
Hi Deryk Lister, On Saturday, August 26, 2000 at 1:12:49 AM you wrote: If I understand this right, it basically makes PGP almost completely worthless. A public key can be tweaked whilst keeping the fingerprint the same, and then re-uploaded to the keyservers or handed out to others on your behalf. If someone sends mail to this tweaked key, you can still decode it - but so can the cracker! There's not a lot you can do about it; all keys made with Nai's PGP 5 or greater have this flaw. That's nonsense, sorry. The bug is only related to the ADK-technology in those PGP versions. That's a technology that enables, say, the boss of a company to create custom keys for his employees while retaining a second key (or backdoor) for himself. This (intended) functionality is somehow flawed, hence the vulnerability. This doesn't in any way at all effect the effectiveness of PGP encryption in any single-user day-to-day use. I'm citing the article from BUGTRAQ, which contains some links about the issue. From [EMAIL PROTECTED]: In case you have not heard there is a serious bug in some versions of PGP related to additonal decryption keys (ADK). For more information look at John Young's site which details some of this: http://cryptome.org/pgp-badbug.htm Quoting from an email on the site: "Tested versions of PGP: PGP-2.6.3ia UNIX (not vulnerable - doesn't support V4 signatures) PGP-5.0i UNIX (not vulnerable) PGP-5.5.3i WINDOWS (VULNERABLE) PGP-6.5.1i WINDOWS (VULNERABLE) GnuPG-1.0.1 UNIX (not vulnerable)" A paper detailing an aspect of the vulnerability is written by Ralf Senderek: http://senderek.de/security/key-experiments.html and his student Stephen Early [EMAIL PROTECTED] seems to have worked on detailing this vulnerability as well on the ukcrypto mailing list. Oliver Sturm -- % \(- (-: Command not found. -- Oliver Sturm / [EMAIL PROTECTED] Key ID: 71D86996 Fingerprint: 8085 5C52 60B8 EFBD DAD0 78B8 CE7F 38D7 71D8 6996 -- -- View the TBUDL archive at http://tbudl.thebat.dutaint.com To send a message to the list moderation team double click here: mailto:[EMAIL PROTECTED] To Unsubscribe from TBUDL, double click here and send the message: mailto:[EMAIL PROTECTED] -- You are subscribed as : archive@jab.org
Re: SOT: Gaping hole in NAI PGP
Hi Oliver Sturm, ;) On Saturday, August 26, 2000 at 1:28:28 AM you wrote: That's nonsense, sorry. The bug is only related to the ADK-technology in those PGP versions. That's a technology that enables, say, the boss of a company to create custom keys for his employees while retaining a second key (or backdoor) for himself. This (intended) functionality is somehow flawed, hence the vulnerability. This doesn't in any way at all effect the effectiveness of PGP encryption in any single-user day-to-day use. I'm citing the article from BUGTRAQ, which contains some links about the issue. OK, I was obviously slightly mistaken on some parts of this. It might actually be possible to read someone else's email exploiting this bug. Still seems highly surrealistic to me, I just wanted to follow up to correct my bold statement. Oliver Sturm -- %make love Make: Don't know how to make love. Stop. -- Oliver Sturm / [EMAIL PROTECTED] Key ID: 71D86996 Fingerprint: 8085 5C52 60B8 EFBD DAD0 78B8 CE7F 38D7 71D8 6996 -- -- View the TBUDL archive at http://tbudl.thebat.dutaint.com To send a message to the list moderation team double click here: mailto:[EMAIL PROTECTED] To Unsubscribe from TBUDL, double click here and send the message: mailto:[EMAIL PROTECTED] -- You are subscribed as : archive@jab.org
Re: SOT: Gaping hole in NAI PGP
Hi Oliver Sturm, Following myself up a last time ;) On Saturday, August 26, 2000 at 1:37:36 AM you wrote: If you are very interested in this issue, read http://www.pgp.com/other/advisories/adk.asp Seems like NAI tries to be real fast for a change ;) Oliver Sturm -- Linux: The Ultimate NT Service Pack -- Oliver Sturm / [EMAIL PROTECTED] Key ID: 71D86996 Fingerprint: 8085 5C52 60B8 EFBD DAD0 78B8 CE7F 38D7 71D8 6996 -- -- View the TBUDL archive at http://tbudl.thebat.dutaint.com To send a message to the list moderation team double click here: mailto:[EMAIL PROTECTED] To Unsubscribe from TBUDL, double click here and send the message: mailto:[EMAIL PROTECTED] -- You are subscribed as : archive@jab.org
Re: SOT Gaping hole in NAI PGP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Oliver, On 26 August 2000 at 02:04:07 GMT +0200 (which was 01:04 where I live) [EMAIL PROTECTED] wrote and made these points on the subject of "Gaping hole in NAI PGP": I got the impression that the hole is created with the key generation and that to eliminate the potential problem we'd have to upgrade as well as generate new keys. OS Read http://www.cert.org/advisories/CA-2000-18.html, that's the best OS explanation I've seen. For the sake of clarity, here are the highlights of the vulnerability issues that pertain: For this vulnerability to be exploited, the following conditions must hold: the sender must be using a vulnerable version of PGP the sender must be encrypting data with a certificate modified by the attacker the sender must acknowledge a warning dialog that an ADK is associated with the certificate the sender must already have the key for the bogus ADK on their local keyring the bogus ADK must be a certificate signed by a CA that the sender trusts the attacker must be able to obtain the ciphertext sent from the sender to the victim - - -- Cheers, .\\arck Marck D. Pearlstone | Moderator TBUDL / TBBETA PGP Key ID: 0x929DCDA0 | www: http://www.silverstones.com PGP Key: mailto:[EMAIL PROTECTED]?Body=GET%20MARCKKEY File not found. Should I fake it? (Y/N) TB! v1.46 Beta/3 S/N 14F4B4B2 on Windows 98 4.10 Build 1998 - -BEGIN PGP SIGNATURE- Version: PGP 6.5i Comment: PGP Signed so you know it's really me iQA/AwUBOacPFjnkJKuSnc2gEQItjACfeozXqjC9mFFumGf2rJjERe3VzAkAn3cq 8lq7dE9uBRpO5A3gRIbRO4QT =wbx5 - -END PGP SIGNATURE- -BEGIN PGP SIGNATURE- Version: PGP 6.5i Comment: PGP Signed so you know it's really me iQA/AwUBOacPKTnkJKuSnc2gEQJaXQCg0jwL7QLfh+MQACskay5nzhshfjoAnA2C yK+3b9UFZjBudfmk81CVgOYe =ZBWc -END PGP SIGNATURE- -- -- View the TBUDL archive at http://tbudl.thebat.dutaint.com To send a message to the list moderation team double click here: mailto:[EMAIL PROTECTED] To Unsubscribe from TBUDL, double click here and send the message: mailto:[EMAIL PROTECTED] -- You are subscribed as : archive@jab.org