[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freehaven-dev] [Fwd: [Fwd: Serious bug in PGP - versions 5 and 6]]

To: freehaven-dev@freehaven.net
Subject: [freehaven-dev] [Fwd: [Fwd: Serious bug in PGP - versions 5 and 6]]
From: "Michael J. Freedman" <mfreed@zeroknowledge.com>
Date: Thu, 24 Aug 2000 14:04:45 -0400
Delivery-Date: Thu, 24 Aug 2000 14:05:11 -0400
Reply-To: freehaven-dev@freehaven.net
Sender: owner-freehaven-dev@freehaven.net

Ben Laurie wrote:
> 
> --
> http://www.apache-ssl.org/ben.html
> 
> Coming to ApacheCon Europe 2000? http://apachecon.com/
> 
>   ------------------------------------------------------------------------
> 
> Subject: Serious bug in PGP - versions 5 and 6
> Date: Thu, 24 Aug 2000 08:09:07 +0100
> From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
> Reply-To: ukcrypto@maillist.ox.ac.uk
> To: ukcrypto@maillist.ox.ac.uk
> 
> Ralf Senderek has found a horrendous bug in PGP versions 5 and 6.
> It's of scientific interest because it spectacularly confirms a
> prediction made by a number of us in the paper on `The Risks of Key
> Recovery, Key Escrow, and Trusted Third-Party Encryption'
> <http://www.cdt.org/crypto/risks98/> that key escrow would make it
> much more difficult than people thought to build secure systems.
> 
> He's written a paper on his work and it's at
> 
>         http://senderek.de/security/key-experiments.html
> 
> Since NAI joined the Key Recovery Alliance, PGP has supported
> "Additional Decryption Keys" which can be added to a public key.  The
> sender will then encrypt the session key to these as well as to your
> main public key. The bug is that some versions of PGP respond to ADK
> subpackets in the non-signed part of the public key data structure.
> The effect is that GCHQ can create a tampered version of your PGP
> public key containing a public key whose corresponding private key is
> also known to themselves, and circulate it. People who encrypt traffic
> to you will encrypt it to them too.
> 
> The problem won't go away until all vulnerable versions of PGP are
> retired, since it's the sender who is responsible for encrypting to
> the ADKs, not the recipient.
> 
> In the meantime there might be a nasty denial-of-service attack in
> which bad guys upload tampered versions of everybody's public keys to
> all the public keyrings.
> 
> Ross
> 
> > PS: my student Steve Early has trawled the PGP-6.5.1i-beta2 source
> > code and found the bug:
> >
> > In file libs/pgpcdk/priv/keys/keys/pgpRngPub.c, I see two functions:
> > one called ringKeyFindSubpacket(), which finds a subpacket from a
> > self-signature packet, and ringKeyAdditionalRecipientRequestKey(),
> > which uses ringKeyFindSubpacket() to search for ADK subpackets.
> >
> > ringKeyFindSubpacket() is declared as follows:
> >
> > PGPByte const *
> > ringKeyFindSubpacket (RingObject *obj, RingSet const *set,
> >         int subpacktype, unsigned nth,
> >         PGPSize *plen, int *pcritical, int *phashed, PGPUInt32 *pcreation,
> >         unsigned *pmatches, PGPError *error);
> >
> > In particular, the "phashed" parameter is used to return whether the
> > subpacket was in the hashed region. Now, looking at the call in
> > ringKeyAdditionalRecipientRequestKey() I see this:
> >
> >         krpdata = ringKeyFindSubpacket (obj, set,
> >                 SIGSUB_KEY_ADDITIONAL_RECIPIENT_REQUEST, nth, &krdatalen,
> >                 &critical, NULL, NULL, &matches, error);
> >
> > ...the "phashed" value isn't checked (or even asked for)!
> >
> >
> > Fixing the bug, and generating BIG WARNINGS when ADKs are found in the
> > non-hashed area, should be trivial.

-- 
"Not all those who wander are lost."      mfreed@zeroknowledge.com

Prev by Date: [freehaven-dev] Adult entertainment industry looks to file-sharing
Next by Date: [freehaven-dev] resource allocation and flooding
Prev by thread: [freehaven-dev] Adult entertainment industry looks to file-sharing
Next by thread: [freehaven-dev] resource allocation and flooding
Index(es):
- Date
- Thread