27 August 2000.


Date: Sun, 27 Aug 2000 15:17:38 +0200
From: pgpenfrancais <pgpenfrancais@bigfoot.com>
To: jya@pipeline.com
CC: michel@bouissou.net
Subject: PGP in GPL to restore confidence?

John,

FYI, this very interesting message of Michel Bouissou, a french
crypto-activist.

Cheers,

--
pgpenfrancais@bigfoot.com
PGP en francais http://www.geocities.com/SiliconValley/Bay/9648/news.htm



****

From: "Michel Bouissou" <michel@bouissou.net>
Newsgroups: alt.security.pgp,comp.security.pgp.discuss,sci.crypt
Subject: PGP ADK Bug: What we expect from N.A.I.
Date: Sun, 27 Aug 2000 11:13:49 +0200


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The disastrous ADK bug recently discovered by Ralf Senderek in
versions 5.x and 6.x of PGP has greatly compromised the trust that
all of us crypto and privacy activists had in N.A.I. PGP.

In this message, I express not only my personal opinion, but as well
the opinion of several crypto and privacy activists, long-time PGP
supporters in France.

This bug is the most serious and threatening one ever discovered in
PGP since its beginning.

Although N.A.I. quickly reacted to this bug by scanning and fixing
their keyservers, publishing a new PGP 6.5.8 version supposed to be
immune to the bug within 48 hours after its discovery, and also
released a PGPrepair program which is supposed to clean forged public
keys from keyrings, this still is far from enough.

(We write "supposed" not because we distrust the efforts made by
N.A.I., but because we estimate that these solutions cannot have been
tested enough in this short timeframe to put full confidence into
them).

We received information from N.A.I. stating that these
countermeasures were the first steps taken in emergency, and we
acknowledge that they shown quick and reactive and there was not much
more that they could have done in such a short timeframe.

We understand from N.A.I. employees statement that more comprehensive
and definitive solutions are yet to come and are looking forward for
these solutions.

Yet, we regret that N.A.I. and / or Phil Zimmermann didn't release so
far clearer explanations about what they thought of this bug and its
cause and consequences on a technical standpoint.

The fact that this bug can allow messages to be encrypted to somebody
(attacker) different than the intended message recipients makes it
one of the most disastrous things that can happen to a public-key
cryptosystem.

This bug being related to the "ADK / ARR" feature in PGP makes the
issue still hotter, as this ADK feature has been contested and
disapproved from the beginning by the vast majority of PGP
supporters, as well as a number of crypto specialists.

In any case, this "ADK / ARR" feature is a very sensible thing, as
incoporating such features in a cryptosystem creates one possible
weakness and attack path. Ralf's discovery recently proved we were
right being worried about it.

This ADK system being so sensible, we would have expected N.A.I. to
have put the highest care in implementing, testing, securing and
documenting it. Unfortunately, Ralf's work and our own tests proved
this wasn't the case.

=> The bug exists, can easily be exploited. This has been largely
debated these last days.

=> The "warning" messages do not behave as one would expect by
reading the manuals and options explanations.

=> The whole ADK concept and implementation is not explained nor
discussed in the PGP Freeware manual, maintaining ignorance and
confusion about sensible things which should be made very clear.

All this proves that this wasn't properly done, and, quoting Ralf
Senderek last public note:
<<<<<
>This is not a bug, this is a scandal, because NAI put ADKs into PGP
>without caring about simple manipulations.  Obviously there has
>never been a well thought-out security strategy and most of the
>relevant information the public got from NAI concerning ADKs was
>completely untrue as my
>experiments reveal.
>>>>>

We regret to say that we must share and approve Ralf point of view
about this.

This weakness discovered in the v4 signature mechanism raises the
issues of possible other weaknesses that might have been introduced
in PGP when PGP5 was released, because it proves that things which
should have been carefully checked and designed were not. And such a
weakness stayed unnoticed for several years.

In light of this, we must acknowledge that Ralf Senderek advice to
trust only PGP 2.6.x version makes sense.

Seeing that, and seeing that several small but very visible bugs have
remained in the PGP G.U.I for a very long time (such as a bug in the
display of the main PGPkeys window, bug in the display of Keyserver
search results...) we really have to worry about the overall quality
and security of the PGP products.

Consequently, we suggest that:

- - N.A.I. should put the core of PGPFreeware under GNU/GPL license.
This would probably have no or little impact on the ability of N.A.I.
to keep producing and selling commercial PGP versions and related
security services, and would help much in restoring confidence.

- - N.A.I. should start cooperating, and not competing, with current
PGP-compatible cryptosystems developments such as GnuPG.

- - N.A.I. should urgently have the current PGP versions and key
formats reviewed by independent competent, and well-known
cryptographers, and should ask them to publish an independent audit
report about their findings.

- - N.A.I. should communicate very clearly about the ADK issue, and the
possible consequences of the existence of a non-hashed area in the v4
signature format. Although details about this signature format may be
buried somewhere in a technical RFC or the like, N.A.I. should
publicly discuss this signature format and the reason why such
non-hashed areas were put into it.

- - N.A.I. should try its best to explain how this bug can have been
introduced unnoticed in PGP, and why the implementation of the ADK
feature has not been accompanied with security controls that meet the
quality standards expected for such a life-critical software.

- - N.A.I. should take appropriate measures to really kick this problem
off. If this means having to abandon the current DH/DSS keys or
signature format and developing a new, more robust format, this
should be undertaken according to indenpendant and competent
cryptographers advice.

- - N.A.I. should stop bundling PGP with other "security" features such
as a VPN or firewall or intrusion detector that have nothing to do
with the PGP core. PGP is PGP and can may be accompanied by
PGPdisk. The rest has nothing to do with PGP and could be sold by
N.A.I. in different, separated software packages if they want. The
more unnecessary and bulky things are included with PGP, the bigger
PGP grows, the harder it becomes to review and control, and higher
becomes the risk that security-threatening bugs remain unnoticed.

- - N.A.I. should integrate into the next PGP releases an option to
globally desactivate ADK encryption, even if this means refusing to
encrypt anything to a recipient key which has an attached ADK.

- - And we wish that N.A.I. should release a freeware PGP version which
is completely ADK-free.

Should N.A.I. choose to follow some of these advices, this would
greatly help in restoring confidence that has much suffered from this
regrettable event.

Should N.A.I. choose to ignore these comments, this would surely lead
many people to distrust the PGP software and move on to new systems
such as GnuPG, which many of us are already seriously considering.

michel@bouissou.net

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Corrigez le bug PGP ADK. Installez PGP 6.5.8 ou plus recent.

iQA/AwUBOajNvY7YarFcK+6PEQIsfgCeItaFxuENITYwHyarFt6h3oX4dwwAn305
MezqixhI0VhEObdogHcJU3rO
=Jkhe
-----END PGP SIGNATURE-----

****