Additional Decryption Keys (ADKs) is a feature introduced into PGP (Pretty Good Privacy) versions 5.5.x through 6.5.3 that allows authorized extra decryption keys to be added to a user's public key certificate. However, an implementation flaw in PGP allows unsigned ADKs which have been maliciously added to a certificate to be used for encryption.
Data encrypted with PGP 5.5.x through 6.5.3 using a modified certificate will generate ciphertext encrypted with the ADK subject to the conditions list in the impact section. The attacker who modified the certificate can obtain the plaintext from this ciphertext.
PGP does not correctly detect this form of certificate modification because it fails to check if the ADK is stored in the signed (hashed) portion of the public certificate. As a result, normal methods for evaluating the legitimacy of a public certificate (fingerprint verification) are not sufficient for users of vulnerable versions of PGP.
Additional Decryption Keys
This document refers to "PGP certificates" which most users would refer to as a "PGP key". PGP certificates are the file format used to store and exchange keys. A certificate may contain one or more keys, the creation time, signatures by other keys, and other extensions such as "additional decryption keys".
An Additional Decryption Key (ADK) is a mechanism by which a second decryption key can be associated with a user's primary key. All data encrypted for the primary key would also be encrypted with the second key. This configuration might be used for example in environments where data encrypted with an individual's key also needs to be available to their employer.
The ADK feature is intended to only be enabled on those keys where the user specifically consented to having an additional key associated with theirs. However, because of an implementation flaw in PGP 5 and 6, an attacker can circumvent this consent.
Since a user's public key certificate is often widely distributed, an attacker could make this modification to a specific copy of the certificate without the legitimate user's knowledge. When PGP uses the modified certificate for encryption, it fails to detect that ADK is contained in the unsigned portion of the certificate. Because PGP does not report an invalid signature, senders using the modified certificate have no way to detect the modification, without complicated manual inspection.
No legitimately produced PGP certificate will exhibit this vulnerability, nor is this an inherent weakness in the ADK functionality. Your exposure to this vulnerability is independent of whether or not you legitimately employ ADKs.
The PGP Software Development Kit (PGP SDK) has this vulnerability, implying that PGP plugins and other PGP enabled applications may be vulnerable as well. We will provide additional information as it becomes available.
Attackers who are able to modify a victim's public certificate may be able to recover the plaintext of any ciphertext sent to the victim using the modified certificate.
Viewing the keys in a GUI interface clearly shows that an ADK is associated with a given recipient, as shown in this image.
Since the key associated with the ADK is clearly listed as one of the recipients of the ciphertext, it is likely that the sender might notice this and be able to identify the attacker.
The recipient may use any type of PGP key, including RSA and Diffie-Hellman. The version of PGP used by the recipient has no impact on the attack.
The CERT Coordination Center thanks Ralf Senderek for bringing this problem to light and Network Associates for developing a solution and assisting in the preparation of this document.
This document was written by Cory Cohen, Shawn Hernan, Jeff Havrilla, and Jeffrey P. Lanza. Graphics developed by Matt DeSantis.