RE: [PLUG] PGP ADK Vulnerability.

Charles Stack on Sun, 27 Aug 2000 16:37:42 -0400 (EDT)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

RE: [PLUG] PGP ADK Vulnerability.

From: "Charles Stack" <charles@codycomp.com>

To: <plug@lists.phillylinux.org>

Subject: RE: [PLUG] PGP ADK Vulnerability.

Date: Sun, 27 Aug 2000 16:36:27 -0400

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

The source code for PGP 5.5+ is not available for review as it is closed source. The source for RSA's products are also closed source. If you want access to those sources, be prepared to fork over $25K for each product in question. If you have the source code for the PGP versions in question, then please tell US how you obtained them. I don't question the integrity of PGP 2.6...that's pre-commercializated version of PGP. I question the integrity of the commercial products with closed source (version 5.5-6 whatever). I find it hard to believe that the ADK was a design flaw given their relationship with the key recovery effort. But, supposedly, the same design "flaw" exists in some versions gnuPGP as well. Anyway..it's food for thought or fodder. BTW...there's a black van across the street. <G> And...yes...I've seen black helicopters, too. <g> cjs -----Original Message----- From: plug-admin@lists.phillylinux.org [mailto:plug-admin@lists.phillylinux.org]On Behalf Of Leonard Rosenthol Sent: Sunday, August 27, 2000 4:13 PM To: plug@lists.phillylinux.org Subject: RE: [PLUG] PGP ADK Vulnerability. At 3:04 PM -0400 8/27/00, Charles Stack wrote: >What is particularly disturbing to me is that people are calling the >inclusion of ADKs a design oversight or a bug. It is neither. I think you've definitely been looking for too many black helicopters lately - there is no smoking gun here. >I also find >it disturbing that NAI already has a solution to the problem (as if they >knew it would surface sooner or later). What gave you the impression that they "already had a solution"? Because they got the fix out quickly? >I am as equally appalled that nobody external to NAI caught this issue until >now (when was PGP 5.5 released?). Its clear that we can no longer trust NAI >or any other proprietary security provider to honestly be concerned with our >privacy. The only alternative is the open sourced versions. But, we've >seen how well that worked as GNUPGP also fell prey to the ADK issue. Excuse me, but PGP IS "open source" - at least in the fact that the sources to PGP have been published (read publicly available) since day one! Why did no one find this problem sooner - it's a VERY large base of code and I suspect that people were looking for holes in more obvious places first. I do think, however, that now that one "hole" was discovered, some people (perhaps yourself?!?!?) will start looking more closely at other areas of the code that haven't been as well reviewed. >I'd still love to know what the terms were regarding the "legalization" of >PGP in this country. Obviously, key escrow was one item agreed upon. And, >given the known involvment of the players (RSADSI, Security Dynamics, NAI, >US Gov't (ala Al Gore and Janet Reno)), can we even trust RSA's own products >or even SSL to be protecting our interests? Again, the sources for RSA's algorithms and their Crypto-C, Crypto-J and Crypto-SLL implementations are available, as our the sources for things like Crypto++, OpenSSL, etc. If you think there's a problem - go read the code! >RSADSI published a paper regarding an attack against Elliptic Curves (109 >bit) and determined that EC's of the length can be cracked within a year. >Given that EC's algorithms typically work with keys that are 160 bits in >length, is this merely an attack on EC to maintain the RSA fifedom? I think it's simply the first finding against EC. EC is new enough that it's taken this long for someone to find out a way to crack small key length - though it's also been around long enough to show that it was HARD to find that hole. Leonard -- ---------------------------------------------------------------------------- You've got a SmartFriend? in Pennsylvania ---------------------------------------------------------------------------- Leonard Rosenthol Internet: leonardr@lazerware.com America Online: MACgician Web Site: <http://www.lazerware.com/> FTP Site: <ftp://ftp.lazerware.com/> PGP Fingerprint: C76E 0497 C459 182D 0C6B AB6B CA10 B4DF 8067 5E65 ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug

Follow-Ups:

RE: [PLUG] PGP ADK Vulnerability.
From: Bill Jonas <bj@netaxs.com>

RE: [PLUG] PGP ADK Vulnerability.
From: Leonard Rosenthol <leonardr@lazerware.com>

References:

RE: [PLUG] PGP ADK Vulnerability.
From: Leonard Rosenthol <leonardr@lazerware.com>

Prev by Date: Re: [PLUG] PGP ADK Vulnerability.

Next by Date: Re: [PLUG] PGP ADK Vulnerability.

Previous by thread: RE: [PLUG] PGP ADK Vulnerability.

Next by thread: RE: [PLUG] PGP ADK Vulnerability.

Index(es):

Date

Thread