The PGP Bug Report
  1. The ADK Bug
  2. The "Known Cypertext" Vulnerability
  3. Microsoft Windows Plugin Vulnerability
(Click Here To Go Back To The Main PGP Page)

1. The ADK Bug

In August of 2000, a German researcher named Ralf Senderek discovered a bug in the ADK (Additional Decryption Key) routines used by virtually all versions of PGP later than 2.6.X. This is the first major security glitch ever discovered in PGP and, as expected, Senderek became instantly famous in The Community. NAI fixed it overnight after it was reported, and no exploit of the bug has ever been found "in the wild". Click here for a full description of the bug (with links) and what it means to you (not much...the program's still solid, especially for individual users who have no use for corporate-version ADKs in any event).

IMPORTANT: Even though the potential attack is fairly esoteric, and unlikely in the extreme to affect you, it is strongly recommended you upgrade PGP to Version 6.5.8 or later to take advantage of the bug fix.

We now return you to your regularly scheduled program....

Even though Ralf discovered the first security glitch, he still likes PGP (or at least up to version 2.6.X). The only argument he has with current "Windows" versions is that their complexity makes it difficult to ensure that there isn't a hole accidentally or deliberately placed in the software. See his Jan 2001 paper on the subject here, and the "Windows Plugin Vulnerability" below for confirmation that he was right.

2. The "Known Cyphertext" Vulnerability

This is a recent one (August 2002). The theoretical possibility of this attack has been known for years, but no one believed that there would be a practical way to implement it.

Some pretty good layman's discussions of this attack can be found at PC World Magazine and eWeek. If you're a tech geek and are up to speaking crypto with the pros, you might want to check the original paper by Counterpane Lab's K. Jallad, J. Katz, and B. Schneier (available in PDF and Postscript formats).

The basic attack goes like this:

Now, the attack becomes enormously more difficult (some say impossible) if the message is compressed before it is sent. Since all Windows versions (through at least 6.5.8) always compresses (exception noted below), and all command-line versions are default set to compress, this shouldn't be a problem. The only exception is if you're using a command-line version and have turned the compression off in the pgp.cfg file. If you have done that for some unfathomable reason, turn it back on.

NOTE THE EXCEPTION: PGP for Windows will NOT compress something that's already been compressed (zip files, JPGs, etc.) nor certain binaries, as they're already as compressed as they can get. This is generally not a problem, as most email messages are text, which compresses nicely, thank you very much. Avoid zipping files before PGP encrypting them for this reason.

Further, it cannot be done at all unless Eve's ENTIRE message to Bob is sent back to her by Bob. In short, a little social engineering is necessary, even assuming all the other elements are in place. Don't reply to anyone including all of their email to you, and you CANNOT be attacked using this method.

3. The Microsoft Windows Plugin Vulnerability

As predicted by Senderek (click The ADK Bug for more info, or read his 2001 paper here), the increasing complexity of PGP's software, designed to increase ease of use with the Windows GUI, has resulted in a security compromise. Versions 7.0.3 and 7.0.4 of the PGP Desktop Security plug-in and version 7.0.3 of the PGP freeware are vulnerable to this exploit, which essentially invoves a specifically malformed email which forces the software into "decrypt." This has been patched (get it here).

Note that this sort of thing wasn't possible in earlier versions, since PGP actually required you to DO something to decrypt information, rather than incorporating a "plugin" to do it for you which is built on top of some of the most notoriously insecure software on earth (MS Windows in general and MS Outlook/Outlook Express in particular). It was gonna happen sooner or later.

Get the patch, and stop using that kind of crap.