PGP Security Hole

Testing at KeyLabs has verified a security vulnerability that has been discovered in Network Associates PGP (Pretty Good Privacy) encryption program. Giving rise to some "I told you sos", the vulnerability happens because of a feature added to let certain third-parties read your encrypted mail. ? The problem was found by German researcher Ralf Senderek, and has been circulated by CERT, and acknowledged by Network Associates. It affects PGP 5.5.x through PGP 6.5.3 for Windows 95, 98, NT, and 2000. ? Encryption in PGP works via a mathematical formula using a private key and a public key. The public key is known to others, and is usually made available through public sources. The problem

is due to the introduction of another type of key, called an Additional Decryption Key (ADK). These ADKs were the solution that PGP used for key escrow, which provides a means for someone else, like your company or the FBI, to read your encrypted mail. ? The source of the problem is that PGP implemented these ADKs in a way that allows a third party to tamper with them. Normally, ADKs are supposed to be stored in the signed (i.e. encrypted) area of the certificate. The PGP bug permits a malicious user to add an ADK to the unsigned area of the certificate, and since PGP doesn't check where the ADK is, it accepts it as legitimate. A particularly good snooper, exploiting a particular set of circumstances, may be able to secretly add an unsigned ADK to a key, so that when you use the key to send an encrypted message to a trusted correspondent (such as your Swiss Banker), that message could be snooped by a malicious third party. ? According to CERT, if you are running one of the affected versions in Windows, you should right-click on one of your certificates (which is where your keys are kept). Look at the Key Properties. If you see the ADK tab there, someone has added the additional key. Of course, it may be there legitimately, or it may have been put there as part of a spying operation. ? CERT also shows a way for users of GnuPG to check for ADKs. You should give this command: ?

Gpg -list-packet

? If you have a legitimate ADK you will see this in the output: ?

Hashed subpkt 10 len 23 (additional recipient request)

? If the ADK shouldn't be there, the word Hashed will be missing. (Please note that there are conflicting reports as to whether the open source GnuPG is affected by this problem.) ? One aspect of this ADK problem is that the vulnerability happens outside your control. A hacker does not need to break into your computer to tamper with your keys. A vulnerability may occur via one of your correspondents, or via a key server, which is a repository for public keys. According to Network Associates, the PGP Key Server has already been fixed to filter out the fake ADKs. Since the discovery of the problem, NAI did a scan of one of the largest certificate servers. Of the 1.2 million keys on the server, none of them had tampered ADKs. Yesterday, NAI posted a utility, PGPrepair, that will scan existing PGP key rings and repair keys that have been tampered with. There are versions of PGPrepair 1.0 that will work with Windows, Linux, and Solaris, and will repair systems running PGP 2.6.2 and above. PGPrepair is freely downloadable. In addition to PGPrepair, NAI has also posted PGP product patches that are available to registered users. For further information and links to PGPrepair 1.0 visit PGP's ADK advisory.