[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FYI] (Fwd) Serious bug in PGP - versions 5 and 6
- To: "Debate" <debate@fitug.de>
- Subject: Re: [FYI] (Fwd) Serious bug in PGP - versions 5 and 6
- From: "Kai Raven" <kai.raven@ob.kamp.net>
- Date: Thu, 24 Aug 2000 13:43:00 +0200
- Cc: krypto@thur.de
- Comment: This message comes from the debate mailing list.
- In-Reply-To: <39A4F6B3.14154.176E28@localhost>
- References: <39A4F6B3.14154.176E28@localhost>
- Sender: owner-debate@fitug.de
Hallo,
On 24.08.00 to subject "[FYI] (Fwd) Serious bug in PGP - versions 5 and 6
", you wrote:
>The effect is that GCHQ can create a tampered version of your PGP
>public key containing a public key whose corresponding private key is
>also known to themselves, and circulate it. People who encrypt traffic
>to you will encrypt it to them too.
>The problem won't go away until all vulnerable versions of PGP are
>retired, since it's the sender who is responsible for encrypting to
>the ADKs, not the recipient.
>In the meantime there might be a nasty denial-of-service attack in
>which bad guys upload tampered versions of everybody's public keys to
>all the public keyrings.
Genau dieser Teil interessiert mich besonders:
Kann man einen derart modifizierten Public Key zu den Keyservern hochladen
und würde dieser Key akzeptiert/aktualisiert?
Denn die meisten PGP Anwender werden sich die Keys von den Servern holen
und wenn obiges möglich wäre, würde ich doch als Angreifer zuerst
versuchen, den Key auf dem Keyserver durch einen "ADK-geimpften"
auszutauschen.
Ciao
Kai
--
Homepage: http://home.kamp.net/home/kai.raven/index.html
PGP:2048-RSA: 96FC7E3F DH/DSS PGP-Key ID: 0xB08FCDFD