-----BEGIN PGP SIGNED MESSAGE-----
In <3479420D(_dot_)27A54854(_at_)systemics(_dot_)com>, on 11/24/97
at 03:59 AM, Ian Grigg <iang(_at_)systemics(_dot_)com> said:
As I recall, the flaws are:
* create an arbitrary ID, and therefore spoof a key server
* create a key with the same fingerprint as another, under
some conditions, and thus spoof the server/key.
For more detail, check out Gary's HIP-paper on
http://www.hotlava.com/doc/fag-pgp/ I should note that PGP Inc have
stated that all but one of the issues was known and fixed.
So there are problems with the old PGP system. But, and it's an
important but, these (key) problems only effect keyservers in general.
As most people don't use key servers, this is not a tremendous problem,
and certainly not justification for dropping the old formats. It is of
course more important to PGP Inc as their products use key servers
automatically.
It is also possable to create a key that spoofs *both* keyID &
keyFingerprint. With the old formats the only sure way for verifying a key
was to take the size, keyID, & keyFingerprint.
There was another spoof that I came across (last year I think) dealing
with the display of key information by PGP. The reason I bring this up as
it is somthing to look out for when displaying key data to the user. I
have attached a copy of the key to this message.
OK I found my post to the coderpunks list:
=========================================================================
Hi,
While doing some analysis on the BAL server keyrings I cam across this PGP
key that may be of intrest:
- --
Type Bits/KeyID Date User ID
pub 512/37CD5C41 1994/08/16 Big, Important Person
sig 38D011C8 Trusted Introducer
Key fingerprint = C4 8A BB 58 B1 A6 53 6F 21 AD 45 84 50 1D AA 6C
What is intresting about the key is it has not been signed even though a
signature is shown from a pgp -kvvc output!
How was this done??
The clever creator of this key formated his userid in such a way that when
displayed it would look like there was a valid signature for the key. The
entire "sig" line is really part of the userid for the key.
I have attached a copy of the key if anyone is intrested at looking at how
it was created.
For some of my scripts I had been parsing the output of PGP to build
information on the keys in the keyring. Since then I have switched to
extracting the data directly from the keyring. It was while I was testing
this new code that I came across this key. Glad I switched methods :))
=========================================================================
As to the MD5 weakness, yes, you are correct there: theoretical
weaknesses do not mean an unseemly dumping of the existing user base is
warranted.
I have a patched version of PGP 2.6.x on my web site that allows it to use the
SHA1 hash. I also fixed a "feature" in 2.6.x where if a message was encrypted
with RSA but signed with an unknown algorithm it would fail not only the
signature verification but the decryption too! The patched version will now
decrypt the messages and warn of a verification failure.
- --
- ---------------------------------------------------------------
William H. Geiger III http://users.invweb.net/~whgiii
Geiger Consulting Cooking With Warp 4.0
Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 2.6.3a at: http://users.invweb.net/~whgiii/pgpmr2.html
- ---------------------------------------------------------------
begin 666 tmp.pgp
MF0!-`BY1%KT```$"`+FM2B,)5OW:<+4FOYUB!BH]G-(_at_)X6`>$N[EKT1.+*Y/\
MA?XH_K99<Y#>!_=!<V)FQ!P.[%?:M/:(J;:?0C?-7$$`!1&T1T)I9RP(_at_)26UP
M;W)T86YT(%!E<G-O;@IS:6<@("`@("`@,SA$,#$Q0S@@("`@("`@("`@("`@
25')U<W1E9"!);G1R;V1U8V5R
`
end
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a-sha1
Charset: cp850
Comment: Registered_User_E-Secure_v1.1b1_ES000000
iQCVAwUBNIULA49Co1n+aLhhAQL0JAP9FtmsOBcNwUwULvhTKRYemh1B0lw3HQf6
54czVNEQ8EZdjI3H3gnJcUMU2hWF+MPawJnMSIMeRN17boblD0M5Yuyi7eQGE58E
YQ6YhzegFeF/JfBo0DMJU6hlQjRCmJMbYpfTv4I16wyPAq5+YPYAyKtMx+Ta5xq7
Jy8DlYkj7J4=
=RDsm
-----END PGP SIGNATURE-----