Beldon Dominello on Sun, 27 Aug 2000 16:18:13 -0400 (EDT)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] PGP ADK Vulnerability.


Vik Bajaj wrote:

> > It's important to note that the above advisory and "bug fix" only
> > addresses the (quite justified) concern that an ADK can be hacked out
> > of the PGP key.
>
> I am not sure exactly what you mean by "hacked out," because all the keys
> involved are public.  Can you clarify?

Well, I have only a slight grasp of how all this works, and I don't use it
myself.  However, as I understand the paper I read (which was the whole paper
behind the advisory to which you linked) under the current (bugged) system, the
ADKs are stored as sub-keys that are not hashed.  To my (admittedly uninformed)
mind, that means that additional ADKs could be added (or altered) without
changing the checksum of the whole key itself.  Now, in the new version, it would
seem that you can't do that (which is good) but an ADK could be added
surreptitiously at creation time (which could be bad, as I think you described
quite well in your response.

--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GMU/PA/CS/IT d s+:++ a C++ UL++>$ P+ L++>++++ E W++ N++ o-- K w---$ O
M+ V--- PS+ PE Y+ PGP- t+ 5-- X R* tv-- b++ DI++ D+ G++ e+ h--- r+++ y++++
-----END GEEK CODE BLOCK-------
For translation, see http://www.kluge.net/ungeek.html




______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug