Let's begin with a quote from the official NAI Bug Advisory:

On the morning of Thursday, August 24, researchers in Germany announced the discovery of a bug in PGP versions 5.5 through 6.5.3, regarding how those versions handle unauthorized Additional Decryption Key (ADK) additions to the unhashed/unsigned areas of PGP keys.

Uhmm.....OK. So, then, what's an ADK, what's an unauthorized ADK, and why should anyone give a diddly? Well, it's kind of a long story.

Once upon a time, Phil Zimmerman, computer nerd, crypto expert, and hero of the people, invented a little program called PGP. The story is well-known, and I'm not going to repeat it here. Suffice it to say that, having given this excellent little piece of programming away to anyone who cared to download it, Phil got wrapped around the axle with the government because it worked so well. Phil would also occasionally come up with new versions and upgrades for the program and give them away, too, which didn't make any new friends in the Justice Department.

Phil finally got the government to piss off and leave him alone, at which point he found himself to be the only serious practitioner in the field of strong public-key cryptography for Everyman. Something so enormously useful had obvious commercial value, so Phil incorporated, and shortly thereafter sold the whole shooting match to Network Associates Incorporated (NAI). Phil stayed on with NAI as head encryption geek and quality control dude, and NAI began producing advanced (read: "more user and IT friendly, networkable and corporate") versions of his little program.

The Privacy Fringe Nuts (PFN) went ballistic. "Sell-out" was a common term bantered about during this period. Even though Phil continues to this day to ensure that NAI gives out free copies of all their PGP versions to anyone who cares to download it, and publishes the source code for every single one of them so that anyone who desires can root around in them looking for flaws, the PFN just couldn't bring themselves to trust a Corporation who actually proposed to make money with the thing.

As a result, many of these refuse to have anything to do with versions of PGP later than 2.6.X (the last pre-corporate "guerilla" version, which is primarily DOS-based and command-line driven). The rest of us encryption nuts (yeah, I'm one, too) kept PGP 2.6.X handy, but have generally embraced versions that could be used in Windows instead of screwing around with DOS command lines like:

pgp -stwea input.txt 0x69D3F35D

In the meantime, lost in the babble of wild-eyed loonies who see the NSA under every bed, some serious work was being done by people who actually know what they're talking about. The fact of the matter is that making PGP more and more Windows/GUI friendly was resulting in enormous volumes of very complex code. The original PGP Ver 2.6.X was about 800K, which meant that it would fit nicely on a floppy, including the keys, help files and instruction manual. The last version I got off of the net (Ver 6.5.8) ran about 7.5 Megabytes, and that's compressed. Lotsa code, lotsa opportunity for a screw-up, any one of which might inadvertently compromise the integrity of the program.

In addition to this uncomfortable truth, NAI (who after all wants to make some money on this project) had to put stuff into PGP that was demanded by corporate users, who were willing to pay for it (the not-for-free versions).

In particular, NAI produced the capability for PGP public keys to contain so-called "ADKs" (Additional Decryption Keys). This was a response to the fact that PGP is so good that anything encrypted is totally unrecoverable should the private keyholder become unavailable for one reason or another. This is good for individuals, but bad for corporations and organizations. Consider: One of your employees uses PGP on sensitive company files (good), but then is fired, quits, or dies (bad). All the files he encrypted (which belong to the company) are worthless - completely, 100%, no kidding unrecoverable, ever (very, very bad).

Now, corporations actually pay for their PGP stuff as opposed to individuals, including me, who mostly still get it for free off the net. Corporations, however, won't buy a product that might accidentally put them out of business. Zimmerman and NAI had to invent a way around this little problem if they wanted to put bread on the table of the engineers, techs, office staff, cleaning crew, and the guy who changes the lightbulbs at NAI, not to mention clear a little profit. After all, being a Hero Of The People is pretty cool, but it loses much of its charm when the rent's due. (I'm guessing that if Phil asked all the millions of freebie PGP users to send him a buck each for the trouble he went to, he'd still wind up living in a Maytag box under a freeway overpass. People can be such butts sometimes.)

So was born The Idea: Give the company the capability to add their keys to the employee's keys. This allows decryption by the company regardless of which company employee encrypts the data in the first place. Voilá: An "Additional Encryption Key".

INCIDENTAL SIDE NOTE: This is what the Justice Department wants, except they want their keys or a "Trusted Third Party's" keys added to EVERYONE'S so they can decrypt criminals' stuff. It's called "Key Escrow". As ideas go, this one pretty well sucks. Anyhow, back to our story.

This ADK must be done with the consent (or at least the knowledge) of the person "owning" the key, since just trying to add it without the employee's passphrase will invalidate the key altogether. Due to the way that PGP creates keys (internally hashed and verified), it was thought impossible to covertly manipulate it in any fashion whatsoever WITHOUT invalidating it.

Of course, the ability to add ADK to keys sounds suspiciously like a "back door" (see the side-note in the red box above). Again, the PFN went completely bug-house, wailing, slinging snot, digging deeper bunkers, and banging on the "Conspiracy" drum.

This time, however, they were joined by some really high-profile names in the encryption business, including Schneier (author of "Applied Cryptography," a highly regarded standard book in the field), Rivest and Abelson (the "R" and "A" in the RSA encryption algorithm), Diffie (as in "Diffie/Helmann" encryption algorithm), Schiller (MIT Information Systems), Bellovin and Blaze (AT&T Labs), and Anderson (Cambridge University, UK). These pros (and other experts) put together a report called "The Risks Of Key Recovery, Key Escrow, And Trusted Third-Party Encryption" in 1998.

The main thrust of the report was that Key Escrow and Key Recovery systems were a bad idea in general. Although they were very concerned that Key Escrows could be used by government in a less than up-and-up fashion, you're not looking at any Privacy Fringe Nuts (PFN) here; these are respectable folk. They were much more concerned by the fact that the complexity of the program code which allows the ability to manipulate user keys in this fashion might have unforseen consequences in terms of the basic security of the system. In short, never mind the NSA getting access to Key Escrow - keeping the program secure in general would be a nightmare.

It seemed that their fears were unfounded. For years, repeated attacks on PGP by some really first-rate (and dedicated) hackers and crypto folk resulted in nada - no holes, no backdoors, no hacks. As far as being a program that does what it's supposed to, properly installed and utilized PGP beats practically any other piece of software ever produced for Windows/GUI consumption.

Everything was just peachy until that fateful day: Thursday, August 24, 2000. A crypto/computer guy named Ralf Senderek, who has always thought ADKs were a bad idea, published his findings concerning manipulation of ADKs. The bottom line is that it is potentially possible for an ADK to be added to public keys without the knowledge of the key owner or anyone else. Anyone using that public key from then on out would be encrypting the message to the original owner AND the bad guy who "planted" the ADK. For this exploit to work, the PGP user has to also download the bad guy's public PGP key from a keyserver, ignore the "Encrypting to ADK" notice, and, in short, really have his head up, but the point is, it's a security hole, never mind the unlikelihood that it will ever be successfully exploited.

As I predicted (see my main PGP page), the fact that he found a hole of any kind in PGP instantly vaulted Ralf from the status of "Rather Obscure German Computer Guy" into the lofty heights of "Household Name" (at least in PGP and crypto circles). As the bubbas say around my home town, he done good. This kind of ongoing, exhaustive, in-depth and PUBLIC analysis of PGP over the years has always been one of its major strengths.

(NOTE: Reading Ralf's paper is a little much unless you're a tech geek with an analytic scientific bent, so a better layman's explanation of how all of this is possible is at the CERT Security Advisory Page.)
Anyhow, NAI immediately released a version of PGP which corrects the possibility that a bogus ADK can be used for encryption (or any other purpose). They also checked millions of keys on public keyservers, and found that not a one had been affected. They followed that up by sending software to all public keyservers which will absolutely strip all bogus ADKs off of submitted keys, and making free software available for home users, corporate users, keyservers, or anyone else having keys to check and, if necessary, repair their own keyrings. So far, not a single instance of this bug being exploited has turned up in all those millions of keys, and none is expected.

(NOTE: The "fixed" version is PGP Ver 6.5.8 or higher. Get it HERE. The key check and fix for Windows and DOS keyrings is HERE.)
NAI knows that they've really shot themselves in the foot. If they didn't know it, having the 1998 Key Recovery study I mentioned above viciously stuffed into their "I Told You So" oriface about every fifteen minutes since the news broke has gotten their attention. They're scrambling like big dogs to get this sorted out, including making an immediate fix, and publishing open letters from President of PGP Security (Wallach) and Phil Zimmerman his ownself concerning the bug, apologizing for it, explaining how it happened, and being pretty annoyed that the PFN are already on a major "Sky Is Falling / Government Conspiracy" jag.

Bottom Line? Load PGP Ver 6.5.8, check your keyrings, and move on. It's still secure, and NAI, Zimmerman, et al, are so sweaty to avoid another glitch that I suspect it will continue to be secure for at least the next few version releases...

For another perspective, check David Ross' excellent "PGP: Additional Key Decryption" (ADK) Page. While containing much of the same information, David's approach to the problem is somewhat different, and contains more technical detail.

Side Note To Phil Z If You're Ever Reading This:

(Heh, heh...yeah, that'll happen...)

OK, Phil, that's one. Everyone gets a freebie, and especially you, considering your work on Crypto for Everyman. I'll betcha I'm not such a sweetie on the next one, though....it's only a short step from crypto nut to PFN, and I wobble over the line a lot anyway...

- Jim W -

Version: PGPfreeware 6.5.8 for non-commercial use 


©2000, 2001 All Rights Reserved