Vulnerability

    PGP

Affected

    PGP-5.5.3i, PGP-6.5.1i

Description

    There  is  a  serious  bug  in  some  versions  of  PGP related to
    additonal decryption  keys (ADK).   For more  information look  at
    John Young's site which details some of this:

        http://cryptome.org/pgp-badbug.htm

    A paper  detailing an  aspect of  the vulnerability  is written by
    Ralf Senderek:

        http://senderek.de/security/key-experiments.html

    and his student  Stephen Early seems  to have worked  on detailing
    this vulnerability as  well on the  ukcrypto mailing list.   Below
    are some additional information.

    Additional Decryption Keys (ADKs) is a feature introduced into PGP
    (Pretty Good  Privacy) versions  5.5.x through  6.5.3 that  allows
    authorized extra decryption  keys to be  added to a  user's public
    key certificate.   However, an implementation  flaw in PGP  allows
    unsigned ADKs which have  been maliciously added to  a certificate
    to be used for encryption.

    This advisory refers to "PGP certificates", which most users would
    refer to as a "PGP keys".  PGP certificates are the files used  to
    store and exchange keys. A certificate contains one or more  keys,
    as  well  as  other  information   such  as  the  creation   time,
    signatures by other keys, and "additional decryption keys".

    An  Additional  Decryption  Key  (ADK)  is  a mechanism by which a
    second decryption key can be associated with a user's primary  key
    in a certificate.   All data encrypted  for the primary  key would
    also be encrypted with the  second key.  This configuration  might
    be used, for  example, in environments  where data encrypted  with
    an individual's key also needs to be available to their employer.

    The  ADK  feature  is  intended  to  only  be  available  on those
    certificates where  the user  specifically consented  to having an
    additional key  associated with  theirs.   However, because  of an
    implementation  flaw  in  some  versions  of  PGP, ADKs added to a
    victim's certificate by an attacker may be used for encryption  in
    addition to the victim's key without their consent.

    Since a user's public key certificate is often widely distributed,
    an attacker could make this modification to a specific copy of the
    certificate  without  the  legitimate  user's  knowledge.   When a
    vulnerable  version  of  PGP  uses  the  modified  certificate for
    encryption, it fails  to detect that  the ADK is  contained in the
    unsigned portion of the certificate.  Because PGP does not  report
    an invalid signature, senders using the modified certificate  have
    no  way  to  detect  the  modification  without complicated manual
    inspection.

    No  legitimately  produced  PGP  certificate  will  exhibit   this
    vulnerability,  nor  is  this  an  inherent  weakness  in  the ADK
    functionality.  Your exposure to this vulnerability is independent
    of whether or not you legitimately employ ADKs.

    The PGP Software Development Kit (PGP SDK) has this vulnerability,
    implying that PGP plugins  and other PGP enabled  applications may
    be  vulnerable  as  well.   Attackers  who  are  able  to modify a
    victim's public certificate may  be able to recover  the plaintext
    of  any  ciphertext  sent  to   the  victim  using  the   modified
    certificate.

    For this vulnerability to  be exploited, the following  conditions
    must hold

        * the sender must be using a vulnerable version of PGP
        * the send must be encrypting data with a certificate modified
          by the attacker
        * the sender have the key  for the bogus ADK already on  their
          local keyring
        * the attacker be able to obtain the ciphertext sent from  the
          sender to the victim

    Taken  together,  these  factors  limit reasonable exploitation of
    this vulnerability to those situations in which the key identified
    as the ADK is known valid key.  This might occur when the attacker
    is an insider known to the victim, but is unlikely to occur if the
    attacker is a completely unrelated third party.

    Since the key associated with the ADK is clearly listed as one  of
    the recipients  of the  ciphertext, it  is likely  that the sender
    might  notice  this  and  be  able  to identify the attacker.  The
    recipient  may  use  any  type  of  PGP  key,  including  RSA  and
    Diffie-Hellman.  The version of  PGP used by the recipient  has no
    impact on the attack.

Solution

    Network Associates  has produced  a new  version of  PGP 6.5 which
    corrects this vulnerability by requiring that the ADK be  included
    in  the  signed  portion  of  the  certificate.   Neither  RSA nor
    Diffie-Hellman have this problem.

    - Check  certificates for  ADKs before  adding them  to a keyring.
      Users  of  PGP  who  want  to  ensure  that they are not using a
      modified certificate should check for the existence of ADKs when
      adding new keys to their keyring. Certificates that do not  have
      ADKs are not vulnerable to this problem.  Certificates which  do
      have ADKs may be legitimate or modified and should be  confirmed
      using an out-of-band communication.

      Users of PGP 6.x for Windows and MacOS can test for the presence
      of ADKs in  a certificate by  right clicking on  the certificate
      and selecting "Key Properties".  If the ADK tab is present,  the
      key has one or more ADKs and might be a malicious certificate.

    - Users of  GnuPG can test  for certificates with  ADKs by running
      the command

        gpg --list-packet

      Certificates with legitimate ADKs will contain in the output

        hashed subpkt 10 len 23 (additional recipient request)

      while those missing the "hashed" keyword

        subpkt 10 len 23 (additional recipient request)

      appear to indicate maliciously modified certificates.

    - Make  a  reliable  copy  of  your  public  certificate  publicly
      available.

      Since  the  recipient  of  messages  encrypted  with  a modified
      certificate cannot  prevent the  plaintext from  being recovered
      by the attacker, their best  course of action is to  ensure that
      senders are  able to  easily obtain  legitimate copies  of their
      public certificate.

      Until this problem  has been widely  corrected, you may  wish to
      make your  legitimate certificate  available in  a location that
      is strongly  authenticated using  a different  technology, or to
      make it available in more than one place.

      You may also want to check that your public certificate has  not
      been modified on  the public certificate  servers.  Changes  are
      likely to  be made  to the  popular PGP  certificate servers  to
      detect and reject invalid  certificates that attempt to  exploit
      this vulnerability.

    The MIT  web site  should have  a new  PGP 6.5.x  freeware release
    early Friday,  and the  NAI/PGP web  site should  have patches out
    for the commercial releases at about the same time.

    PGP updated softwares (http://web.mIt.edu/network/pgp.html):

        - PGP Freeware v6.5.8 is now available for Windows 95/98/NT/2000! and the Macintosh
        - PGP Freeware v6.5.8 is MacOS 7.6.1+
        - PGP Command Line Freeware v6.5.2 is now available for AIX/HP-UX/Linux/Solaris!
        - PGP Certificate Server Freeware v2.5.1 is now available for Windows NT/2000 and Solaris!