Title: PGP ADK Insertion Vulnerability
Severity: HIGH
Description:
A vulnerability exists in certain versions of PGP which support ADKs (Additional Decryption Keys), potentially allowing an attacker to insert a public key into the unsigned portion of the victim's public key. The end result is that all communications sent to the victim encrypted with the altered public key would also be encrypted for the attacker, who could then decrypt it with his own key.
Affected Products:
- Network Associates PGP 5.5.3i for Windows
- Network Associates PGP 6.5.1i for Unix
- Network Associates PGP 6.5.3i for Windows
References:
- Multiple Authors: The Risks of Key Recovery, Key Escrow and Trusted Third-Party Encryption
- PGP Security: PGP ADK Security Advisory
- Ralf Senderek: Key Experiments - How PGP Deals With Manipulated Keys
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
