A security bug in PGP products?

Dr Adam Back adam at cypherspace.org
Tue Aug 22 15:58:17 EDT 2006

What they're saying is if you change the password, create some new
data in the encrypted folder, then someone who knew the old password,
can decrypt your new data.

Why?  Well because when you change the password they dont change the
symmetric key used to encrypt the data.  The password is used to
create a KEK (key encryption key) and this in-turn is used to encrypt
the folder key (which is used to do the actual data encryption.)  Now
in common with a lot of other systems, changing the password does not
entail re-encrypting the actual data.

(To do so would require waiting for it to re-encrypt.  There are
systems that do this, but it is a tradeoff, espeically in a
single-user scenario)

Personally my preferred security property (in a multi-user storage
system where users can be added and removed) is that people who had
access can still decrypt the stuff they had access to, but can't
decrypt new data encrypted since then.  I think its a good balance
because that person had the data anyway, and could remember it, have
backups of it etc.

Another thing that can be done is to utilize an online server, which
has an additional key such that it cant decrypt, but can hand it over
on successful auth and can delete that key on request.  Obviously the
key would be combined in a one-way fashion so the server does not have
to be trusted other than to delete keys on request.

However the article also talks about forensics, and I think they maybe
confusing something there because most encrypted content is not
authenticated anyway (you can merrily switch around ciphertext blocks
without triggering any integrity warnings at the crypto level).  And
anyway if the forensic investigator has the password, he can change
anything! -- symmetric encryption keys known to others are not


On Mon, Aug 21, 2006 at 03:36:16PM -0700, Max A. wrote:
> Hello!
> Could anybody familiar with PGP products look at the following page
> and explain in brief what it is about and what are consequences of the
> described bug?
> http://www.safehack.com/Advisory/pgp/PGPcrack.html
> The text there looks to me rather obscure with a lot of unrelated stuff.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list