Back to Articles and Papers > Cryptography
Ugly Mistake for Pretty Good
by Jay D. Dyson
"If you think cryptography can solve your problem, then you don't
understand your problem and you don't understand cryptography."
Pretty Good Privacy (PGP) has a long and colorful history. Since its
debut in 1991 by cryptographer Phil Zimmermann, PGP attracted
immediate attention. The notion of "public key encryption for the
masses" achieved instant recognition not only from privacy advocates,
but the National Security Agency. Over the years, PGP stood as a
bulwark for personal privacy amidst the introduction of the U.S.
government's Clipper proposal and increasingly expansive wiretapping
An equally rocky legal history couples with PGP's turbulent political
history. Issues regarding PGP's use of the RSA public key
implementation and charges of violating the U.S. International Traffic
in Arms Regulations (ITAR) continually dogged both the program and its
author. To stave off these complications, PGP formed strategic
partnerships with ViaCrypt and MIT. Then, in 1998, Network
Associates, Inc. (NAI) acquired PGP.
http://www.freedomfighter.net/crypto/pgp-history.html (Dead link: 05/2002)
http://os390-mvs.hypermart.net/PGPHistory.htm (Alternative link to above)
PGP had finally come of age. Its "banditware" reputation faded into
the background, and it quickly achieved legitimacy in the eyes of
corporate America. In December of 1999, PGP even earned an export
license by its once-greatest nemesis -- the U.S. Government.
Everything seemed rosy.
However, NAI, the proud owner of PGP, also happened to belong to the
Key Recovery Alliance, an organization advocating government key
escrow. Though NAI disavowed its membership with the KRA in 1997, it
quietly resumed ties with the organization. To that end, NAI also
continued their work with Additional Decryption Keys (ADK) with PGP.
ADKs, introduced as an alternative to key escrow, were touted as a
feature for businesses using PGP. With ADKs, a company can add a
master key to the user's public key. That way, if an employee leaves
the company, the company will still be able to decrypt that employee's
files. What could possibly be wrong with that?
Shortly after ADK's 1998 inclusion into PGP, many in the cryptographic
community began voicing concerns regarding its use. The most ominous
among them was Ralf Senderek's evaluation that read in part:
"I do not know which mechanism will prevent a user's public
key to be linked with another faked message recovery key without the user's
consent or knowledge."
Two years later, his concern was validated. On August 24, 2000, Ralf
Senderek discovered vulnerability in version 5 and 6 PGP public keys
to unauthorized ADK modification. Some versions of PGP respond to ADK
subpackets in the non-signed part of the public key data structure.
Thus, any third party could issue a tampered copy of one's PGP public
key containing their own public key. Anything encrypted on Jane
User's public key would then also be encrypted on Joe Intruder's
public key, effectively giving Joe access to any and all private data
meant only for Jane's eyes.
As Senderek points out, the problem won't go away until all vulnerable
PGP versions are retired, since it's the sender responsible for
encrypting to the ADKs, not the recipient. Keep in mind, the vast
majority of NAI PGP users also use programs such as MS Outlook
(already demonstrably insecure considering the "Melissa" and "I Love
You" variants that brought such systems to their knees). Supposing
they would not detect an unauthorized ADK attack if they experienced
it requires no suspension of belief.
The fallout of this revelation was swift. Amongst the hue and cry
over Senderek's report came wholesale PGP keyserver cleansing efforts
and a sudden groundswell of people speaking out against PGP's use,
favoring instead other public key cryptographic programs such as Gnu
Privacy Guard (GPG). Even seasoned users of the older versions of PGP
questioned its continued use.
"[They] became so preoccupied with whether or not they could
that they didn't stop to think if they should."
Ian Malcolm (from Jurassic Park)
PGP's philosophy and use is sound; however, NAI sacrificed the core
security on which every public key cryptographic system relies in its
rush to implement new "value-added" features. In doing so, they have
also risked hard-won confidence PGP cultivated since first distributed
across the Internet.
Many others, including myself, have long since abandoned use of any
cryptographic system that does not make freely available its source
code. This latest incident only serves to galvanize my stance. While
I will continue using NAI's version of PGP as my customers may
require, I will only trust the version that I have personally reviewed
and compiled. This may seem backward to some, but it is essential to
me. In looking back on the events of this past week, I have to concur
with Senderek's latest comment:
"This is not a bug, this is a scandal..."
About the author
Jay D. Dyson is an independent security
consultant specializing in network and host security services and serves as a Senior Security
Engineer for the National Aeronautics and Space Administration (NASA) in Pasadena, California.
He has been involved with computers for over 20 years and has been a system administrator for
over 15 years on various platforms.