[Treachery Unlimited Logo] Treachery Unlimited: A Computer & Network Security Information Clearinghouse Site

Advisory Agencies
Articles and Tutorials
Security Tools
Site Search
Feedback to Webmaster
Back to Articles and Papers > Cryptography

Ugly Mistake for Pretty Good
 by Jay D. Dyson


"If you think cryptography can solve your problem, then you don't understand your problem and you don't understand cryptography."
      — Bruce Schneier

Pretty Good Privacy (PGP) has a long and colorful history. Since its debut in 1991 by cryptographer Phil Zimmermann, PGP attracted immediate attention. The notion of "public key encryption for the masses" achieved instant recognition not only from privacy advocates, but the National Security Agency. Over the years, PGP stood as a bulwark for personal privacy amidst the introduction of the U.S. government's Clipper proposal and increasingly expansive wiretapping legislation.

An equally rocky legal history couples with PGP's turbulent political history. Issues regarding PGP's use of the RSA public key implementation and charges of violating the U.S. International Traffic in Arms Regulations (ITAR) continually dogged both the program and its author. To stave off these complications, PGP formed strategic partnerships with ViaCrypt and MIT. Then, in 1998, Network Associates, Inc. (NAI) acquired PGP.

http://www.cypherspace.org/~adam/timeline/
http://www.freedomfighter.net/crypto/pgp-history.html (Dead link: 05/2002)
http://os390-mvs.hypermart.net/PGPHistory.htm (Alternative link to above)

PGP had finally come of age. Its "banditware" reputation faded into the background, and it quickly achieved legitimacy in the eyes of corporate America. In December of 1999, PGP even earned an export license by its once-greatest nemesis -- the U.S. Government. Everything seemed rosy.

However, NAI, the proud owner of PGP, also happened to belong to the Key Recovery Alliance, an organization advocating government key escrow. Though NAI disavowed its membership with the KRA in 1997, it quietly resumed ties with the organization. To that end, NAI also continued their work with Additional Decryption Keys (ADK) with PGP. ADKs, introduced as an alternative to key escrow, were touted as a feature for businesses using PGP. With ADKs, a company can add a master key to the user's public key. That way, if an employee leaves the company, the company will still be able to decrypt that employee's files. What could possibly be wrong with that?

Plenty.

http://www.fitug.de/debate/9811/msg00233.html
http://www.cdt.org/crypto/risks98/

Shortly after ADK's 1998 inclusion into PGP, many in the cryptographic community began voicing concerns regarding its use. The most ominous among them was Ralf Senderek's evaluation that read in part:

"I do not know which mechanism will prevent a user's public key to be linked with another faked message recovery key without the user's consent or knowledge."

Two years later, his concern was validated. On August 24, 2000, Ralf Senderek discovered vulnerability in version 5 and 6 PGP public keys to unauthorized ADK modification. Some versions of PGP respond to ADK subpackets in the non-signed part of the public key data structure. Thus, any third party could issue a tampered copy of one's PGP public key containing their own public key. Anything encrypted on Jane User's public key would then also be encrypted on Joe Intruder's public key, effectively giving Joe access to any and all private data meant only for Jane's eyes.

http://senderek.de/security/key-experiments.html
http://cryptome.org/pgp-badbug.htm

As Senderek points out, the problem won't go away until all vulnerable PGP versions are retired, since it's the sender responsible for encrypting to the ADKs, not the recipient. Keep in mind, the vast majority of NAI PGP users also use programs such as MS Outlook (already demonstrably insecure considering the "Melissa" and "I Love You" variants that brought such systems to their knees). Supposing they would not detect an unauthorized ADK attack if they experienced it requires no suspension of belief.

The fallout of this revelation was swift. Amongst the hue and cry over Senderek's report came wholesale PGP keyserver cleansing efforts and a sudden groundswell of people speaking out against PGP's use, favoring instead other public key cryptographic programs such as Gnu Privacy Guard (GPG). Even seasoned users of the older versions of PGP questioned its continued use.

"[They] became so preoccupied with whether or not they could that they didn't stop to think if they should."    — Ian Malcolm (from Jurassic Park)

PGP's philosophy and use is sound; however, NAI sacrificed the core security on which every public key cryptographic system relies in its rush to implement new "value-added" features. In doing so, they have also risked hard-won confidence PGP cultivated since first distributed across the Internet.

Many others, including myself, have long since abandoned use of any cryptographic system that does not make freely available its source code. This latest incident only serves to galvanize my stance. While I will continue using NAI's version of PGP as my customers may require, I will only trust the version that I have personally reviewed and compiled. This may seem backward to some, but it is essential to me. In looking back on the events of this past week, I have to concur with Senderek's latest comment:

"This is not a bug, this is a scandal..."


About the author
Jay D. Dyson is an independent security consultant specializing in network and host security services and serves as a Senior Security Engineer for the National Aeronautics and Space Administration (NASA) in Pasadena, California. He has been involved with computers for over 20 years and has been a system administrator for over 15 years on various platforms.


Copyright © 1999 - 2011 • Treachery Unlimited.
Last updated on Sunday, 11-Apr-2004 01:48:47 MST Privacy Policy