The Zimmermann Telegram

Volume 2, Issue 1
December 4, 1998



IN THIS ISSUE
An Open Letter to PGP Users   (czBOTTOM)
An Important Announcement for PGPdisk for Windows Users   (czBOTTOM)
New U.S. Government Crypto Rules Bring Good News and Bad News   (czBOTTOM)
A Word from the Product Manager   (czBOTTOM)
Technical Details of PGPDisk   (czBOTTOM)
Last page   (czBOTTOM)

An Important Announcement for PGPdisk for Windows Users

During a recent internal review of PGPdisk for Windows, we discovered a problem that weakens the cryptographic strength of any PGPdisk volumes created with PGPdisk for Windows 1.0 and the version of PGPdisk that shipped with PGP 6.0 for Windows. This flaw resides in the PGPdisk code and does not affect any other portion of PGP, only PGPdisk for Windows.

We apologize to our customers and the community for any problems this flaw may have caused. We plan to remedy this in the future by conducting more stringent and thorough reviews of any changes to any cryptographic portion of the PGP code.


Technical Details

PGPdisk uses the 128-bit CAST algorithm to encrypt its volumes. Each PGPdisk volume is encrypted using a unique, random 128-bit CAST session key, which is created expressly for encrypting that particular volume. Before this key can be used for encryption and decryption, however, it must be expanded into a 1024-bit buffer. This process is called scheduling. Unfortunately, instead of the calling the correct CAST scheduling function, the flawed code copies the session key directly into the expanded buffer. Instead of a completely initialized buffer, the result is a buffer with just the first 128 bits initialized, and the rest cleared to zero. This error could make the volume vulnerable to a known- plaintext attack that would be considerably less work than one that required full key exhaustion if the key had been expanded into the key schedule normally.

This problem has been corrected in PGP Version 6.0.2 which, when installed, searches the user's disks for PGPdisk volumes encrypted with an earlier version of PGPdisk, and offers to re-encrypt them with a new session key using a corrected implementation of CAST. Volumes created with 6.0.2 are no longer compatible with older versions of PGPdisk, but meet the high security requirements of the PGP product line.

Discovery of this issue is a reminder of why peer review of cryptographic source code is vital to the integrity of a security product. This particular issue was found in- house; however, we publish our source code for cryptographic peer review to ensure against exactly this sort of problem. Network Associates remains committed to the cryptographic integrity of PGP products and we will continue to release the full source code to PGP for public peer review.

û The PGP Development Team

á

prev. pg. next pg.