On Mon, 28 Aug 2000, David T-G wrote:
Brian, et al --
...and then Brian Galbraith said... % % Yuri Robbers wrote: % > % > When will SuSE release updated rpm's for the PGP vulnerability announced % > by CERT? % > % SuSE distributes only PGP 2.6.3 and GnuPG....none of which have the ADK % vunerability.
Please forgive the newbie from jumping in, but I believe that GPG *is* susceptible to this sort of attack when using any Version4 keys, including V4 RSA keys (and, since I haven't figured out how to get GPG 1.0.2 to use RSA V3 keys, that includes me).
No, GPG is NOT!!! vulnerable, since it doesn't use the ADK mechanism. For a more detailed explanation check out the GNUPG homepage or the discussion lists. It's not even the V4 RSA standard that is flawed, but PGP's implementation of it.
I get this from Ralf Senderek's paper at
http://senderek.de/security/key-experiments.html
in the Inevitable Conclusions section, wherein he recommends using GPG as an analysis tool but using pgp 2.6.3 as your only encryption/decryption tool.
He mixes up two different things. It is possible to corrupt a gpg generated signature in the same way as a PGP generated signature (since both adhere to the V4 standard), but gpg will never use the false ADK when encrypting, or in fact ANY ADK. As long as you encrypt and decrypt with gpg you are not vulnerable.
I realize that, if I have a DH key (as I do at the moment), nothing in the world can stop Joe Correspondent from getting a corrupted copy of my public key and using his PGP to encrypt to me as well as an attacker; all we can do is to ensure that he gets the real key from my and so on.
I would love to be proven wrong in my understanding that GPG is also vulnerable to accepting and using a compromised key, since I like the GPG interface and key management much more than either modern or "older" PGP versions. If anyone has any information, please feel free to send it on to me!
Check out the gnupg discussion lists. The addresses can be found at www.gnupg.org. On the first line you can also find the following: --> Snip GnuPG is not vulnerable to the faked ARR (aka ADK) attack as PGP 5 and 6 is. The reason for this is that GnuPG does intentionally not handle those "additional recipients requests". BTW, those Big Brother packets are not defined in the OpenPGP standard - they are a proprietary PGP extension. --> Snap gr Stefan