Two years later, his concern was validated. On August 24, 2000, Senderek discovered vulnerability in PGP version five, and also found six PGP public keys vulnerable to unauthorized ADK modification. Some versions of PGP respond to ADK subpackets in the nonsigned part of the public key data structure, meaning any third party could issue a tampered copy of someone's PGP public key containing their own. Anything encrypted on Jane User's public key would then be encrypted on Joe Intruder's public key, giving Joe access to any private data meant only for Jane's eyes.
"Key Experiments: How PGP Deals with Manipulated Keys," Ralf Senderek (August 2000): http://senderek.de/security/key-experiments.html
"Serious Bug in PGP Versions 5 and 6," Ross Anderson (August 2000): http://cryptome.org/pgp-badbug.htm
As Senderek points out, the problem won't go away until all vulnerable PGP versions are retired, because it's the sender's responsibility to encrypt to the ADK, not the recipient's. Keep in mind that the vast majority of NAI PGP users also use programs such as Microsoft Outlook (already demonstrably insecure, considering the Melissa and ILOVEYOU variants that brought such systems to their knees). It's easy to suppose that such systems would not detect an unauthorized ADK attack if they experienced it.
Fallout from this revelation came swiftly. Amongst the hue and cry over Senderek's report came wholesale PGP keyserver cleansing efforts, along with a sudden groundswell of opposition to PGP's use; those opposed instead favored other public key cryptographic programs such as GNU Privacy Guard (GPG). Even seasoned users of the older versions of PGP questioned its continued use.
"[They] became so preoccupied with whether or not they could that they didn't stop to think if they should," says Ian Malcolm in Jurassic Park.
PGP's philosophy and use is sound; however, NAI sacrificed the core security on which every public key cryptographic system relies in its rush to implement new value-added features. In doing so, it has also risked the hard-won confidence PGP cultivated since it was first distributed across the Internet.
Many, including myself, have abandoned the use of any cryptographic system that does not make its source code freely available. This latest incident only serves to galvanize my stance. While I will continue using NAI's version of PGP as my customers may require, I will only trust the version that I have personally reviewed and compiled. This may seem backward to some, but it is essential to me. In looking back on the events of this past week, I have to concur with Senderek's latest comment:
"This is not a bug, this is a scandal..."