28 August 2000: Add two notes from Ralf Senderek.

26 August 2000


To: ukcrypto@maillist.ox.ac.uk
Subject: A note to the public - relayed from Ralf Senderek
Date: Sat, 26 Aug 2000 12:59:24 +0100
From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>

-----BEGIN PGP SIGNED MESSAGE-----


A note to the public.


I have been warning repeatedly to use newer versions of PGP for over
two years now. In a study I put on the net in August 1998 which is
also present on the PGP-International website I expressed my valuation
of the ADK-problem which came with the newer versions.
May I cite one sentence from my earlier work:

"I do not know which mechanism will prevent a user's public key to be
linked with another faked message recovery key without the user's
consent or knowledge."

I expressed my fear that this can happen and hoped that there will be
security-checking mechanisms to prevent this. But not knowing much about
the details of signatures and packages in 1998 I finally started to put
this to a test because in the meantime almost everyone got used to the
new keys.
Completing my study and making sure that everyone who repeats my tests
will get the same results I presented my study to the public on Tuesday
22nd August 2000 and informed persons working on computer security
immediately.

So I did not find a bug in the PGP-source code, that was Steve Early
working with Ross Anderson after having studied my experimental research
at Cambridge on Wednesday.
I discovered that there simply is no checking done, not even the attempt
to detect unauthorized manipulations of public keys.
This is not a bug, this is a scandal, because NAI put ADKs into PGP
without caring about simple manipulations.  Obviously there has never been
a well thought-out security strategy and most of the relevant information
the public got from NAI concerning ADKs was completely untrue as my
experiments reveal.

No quick debugging will solve this situation and the damage being done
to the reputation of PGP by everyone who supports Additional Decryption Keys.

I am opposed to Additional Decryption Keys, as you know, but I do not want
people to turn away from PGP. I would like to see people getting rid
of the ADK-problem actively by checking the keys they use and avoiding
the new signature type.

"Use PGP-classic in a reliably secure environment." That would be my
advice if I had 49 characters left on the telegram.

Ralf Senderek


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBOae3cimc/oJTgiNJAQFsQAP+L+KfUcsDBkM3oGjSPEs/L1I04WGfhPjH
lRzqJYsNEN69A6K72eg1x8zHkeKGfIGQlS2eC9QbE4ZX4GTblh3Kdc8GXzCHRMSi
O2i1U765L7/0HbwKPSpyHZXMu96T0UpXSxJN61YqgKMr3zpreyySHBHWCCMLOjLv
sSqoFUCBnaw=
=8nRq
-----END PGP SIGNATURE-----

*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*
* Ralf Senderek  <ralf@senderek.de>                     * What is privacy *
* http://senderek.de                                    *     without     *
* Tel.: 02432-3960    Sandstr. 60   D-41849 Wassenberg  *   PGP-2.6.3i?   *
*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*


From: "Stefan Kelm" <kelm@secorvo.de> Organization: Secorvo Security Consulting GmbH To: Jya@pipeline.com Date: Mon, 28 Aug 2000 09:49:27 +0200 FYI: ------- Forwarded message follows ------- Date sent:      Sat, 26 Aug 2000 16:31:25 +0100 (GMT) From:           Ralf Senderek <ralf@senderek.de> To:             Ingmar Camphausen <ingmar@pca.dfn.de>, Stefan Kelm <kelm@secorvo.de>,        Ross Anderson <Ross.Anderson@cl.cam.ac.uk>,        Stephen Early <Stephen.Early@cl.cam.ac.uk>, schneier@counterpane.com Copies to:      win-sec@cert.dfn.de, WIN-PCA <win-pca@pca.dfn.de>,        Thomas Schoch <Thomas.Schoch@gmx.de>, cert@cert.org,        moeller@cert.dfn.de, michel@bouissou.net Subject:        A second note to the public Steve Early has notified that the first sentence could be misunderstood and therefore I have changed it. Thanks Steve. -----BEGIN PGP SIGNED MESSAGE----- A note to the public. I have been warning repeatedly about using newer versions of PGP for over two years now. In a study I put on the net in August 1998 which is also present on the PGP-International website I expressed my valuation of the ADK-problem which came with the newer versions. May I cite one sentence from my earlier work: "I do not know which mechanism will prevent a user's public key to be linked with another faked message recovery key without the user's consent or knowledge." I expressed my fear that this can happen and hoped that there will be security-checking mechanisms to prevent this. But not knowing much about the details of signatures and packages in 1998 I finally started to put this to a test because in the meantime almost everyone got used to the new keys. Completing my study and making sure that everyone who repeats my tests will get the same results I presented my study to the public on Tuesday 22nd August 2000 and informed persons working on computer security immediately. So I did not find a bug in the PGP-source code, that was Steve Early working with Ross Anderson after having studied my experimental research at Cambridge on Wednesday. I discovered that there simply is no checking done, not even the attempt to detect unauthorized manipulations of public keys. This is not a bug, this is a scandal, because NAI put ADKs into PGP without caring about simple manipulations.  Obviously there has never been a well thought-out security strategy and most of the relevant information the public got from NAI concerning ADKs was completely untrue as my experiments reveal. No quick debugging will solve this situation and the damage being done to the reputation of PGP by everyone who supports Additional Decryption Keys. I am opposed to Additional Decryption Keys, as you know, but I do not want people to turn away from PGP. I would like to see people getting rid of the ADK-problem actively by checking the keys they use and avoiding the new signature type. "Use PGP-classic in a reliably secure environment." That would be my advice if I had 49 characters left on the telegram. Ralf Senderek -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBOafgHSmc/oJTgiNJAQGIIQQAunpgXp5Wy1sI4eSyHR0GMw8Z1zSJkRJY kogu1UPbeTsO9jDV9o5WHbPR+9+Ct+KIaQJmpvkqozlW34CjTCaMinJq84M44ghx AMKS0TWStpdbtCvZJUJxyLZEIY2CmOS1aIhbJm2HwaU+/WtmGwiHgiNndD9bIoC7 EFYLTmifsMs= =9V88 -----END PGP SIGNATURE----- ------- End of forwarded message ------- -------------------------------------------------------- PKI-Symposium, 10.-11.Oktober 2000, www.pki-symposium.de -------------------------------------------------------- Dipl.-Inform. Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Albert-Nestler-Strasse 9, D-76131 Karlsruhe Tel. +49 721 6105-461, Fax +49 721 6105-455 E-Mail kelm@secorvo.de, http://www.secorvo.de ------------------------------------------------------- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B
From: "Stefan Kelm" <kelm@secorvo.de> Organization: Secorvo Security Consulting GmbH To: Jya@pipeline.com Date: Mon, 28 Aug 2000 09:50:07 +0200 FYI: ------- Forwarded message follows ------- Date sent:      Sun, 27 Aug 2000 12:52:39 +0100 (GMT) From:           Ralf Senderek <ralf@senderek.de> To:             cert@cert.org, moeller@cert.dfn.de, Ingmar Camphausen <ingmar@pca.dfn.de>, Stefan Kelm <kelm@secorvo.de>, Ross Anderson <Ross.Anderson@cl.cam.ac.uk>, Stephen Early <Stephen.Early@cl.cam.ac.uk> Subject:        A closer look on the advisory -----BEGIN PGP SIGNED MESSAGE----- Hello Cert, let me explain some of my previous remarks to impove your advisory. My last remark was somewhat ignoring the textual context, sorry I should have looked closer, but as you may know, this was a busy day. But let me come to your conditions which will be globally cited and will be important for users to recognize their risks.     * the sender must be using a vulnerable version of PGP     * the send must be encrypting data with a certificate modified by       the attacker     * the sender must acknowledge a warning dialog that an ADK is       associated with the certificate     * the sender have the key for the bogus ADK already on their local       keyring     * the bogus ADK must be signed certificate by a CA that the sender       trusts     * the attacker be able to obtain the ciphertext sent from the sender       to the victim I cannot verify your third condition for every running PGP in the field. Can you? I think condition five is the one I would not accept. And people might think they need not be concerned if they are not trusting ADKs. To prevent another disaster: Back in the old times before those clickable damage traps came up trust had something to do with using your secret key. When getting a new key the user had to do something which was not done in half a second. Adding a key without using your secret key would bring the key into the keyring but it would still be handled as untrusted. Accepting it as a trusted key would have required self-certification or having authorized another key as an introducer which would require using your secret key as well. Today exposing yourself to the risk I had described would require only getting the manipulated key, and pressing the OK-button and because no secret key is used one should not call this trust. That is why no trust is neccessary to make the manipulation work. The bogous ADK just has to be present in the key ring, that's all. As you may have noticed neither of my testkeys has a signature of any other key except key-B2 and key-B3 which are designed to test if certificates made by certification authorities can be used for contamination as well. Another point which you do not emphasize enough ist the vulnerabilty of RSA key. Or may I say the lack of it. Your statement was : "The recipient may use any type of PGP key, including RSA and Diffie-Hellman. The version of PGP used by the recipient has no impact on the attack." You failed to tell the people that neither RSA nor Diffie-Hellman is the problem but Version-4-self-signatures, as I had discovered. To produce a Version-4-RSA-key from a Version-3-RSA-key is possible but it had to be done with a key-editor I never saw the transformation happen automatically as I documented in my paper. So the difference between RSA and Diffie-Hellman is important, because all DH-keys are Version-4 and vulnerable and only those RSA-keys which have been tampered with and whose key-ID had changed in the manipulation can be contaminated. The vast majority of RSA-key users who know their key-ID well can be sure that their key is not affected after having checked that it has an old-style self-signature. Please do not add to the denigration of RSA-keys, they are different in respect to the ADK-problem. All this information was in my paper but I hope I have pointed out some important details. Ralf Senderek *.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.* * Ralf Senderek  <ralf@senderek.de>                     * What is privacy * * http://senderek.de                                    *     without     * * Tel.: 02432-3960    Sandstr. 60   D-41849 Wassenberg  *   PGP-2.6.3i?   * *.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.* -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBOakAwymc/oJTgiNJAQEhegQArBxajjzhyAVER8hAOz4V/JOlucMiNDLR BaEFavgOla8O7X5o7a0ycZsVPrYa+EnPlkrhWOqghQ/GFSE05VZt0wg64JAcEpZw MlhBeQMAd4w/O+rhD+SYntVG5RjpCc47yI/NwGscM9rF9vN2WjzJ6O52GobBqsBW q6cf6KwJu2k= =Gzsr -----END PGP SIGNATURE----- ------- End of forwarded message ------- -------------------------------------------------------- PKI-Symposium, 10.-11.Oktober 2000, www.pki-symposium.de -------------------------------------------------------- Dipl.-Inform. Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Albert-Nestler-Strasse 9, D-76131 Karlsruhe Tel. +49 721 6105-461, Fax +49 721 6105-455 E-Mail kelm@secorvo.de, http://www.secorvo.de ------------------------------------------------------- PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B