Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

PGP Vulnerability Discovered

Hemos posted more than 14 years ago | from the keep-an-eye-on-your-key-ring dept.

Encryption 247

Bruce Schneier, of Counterpane, sent in the word that a vulnerability has been found in PGP. He attached an explanation below of what's going on, as well as a paper concerning the risks of key escrow.

From Bruce:

PGP Vulnerability

A very serious PGP vulnerability was just discovered. Using this vulnerability, an attacker can create a modified version of someone's public key that will force a sender to encrypt messages to that person AND to the attacker.

Let me explain.

When Network Associates joined the Key Recovery Alliance, they modified PGP to allow for third-party key recovery. They did this by supporting something called an Additional Decryption Key (ADK). Normally, when a PGP user creates a PGP certificate, it contains a single public key (as well as identifying information as to who the key belongs to). PGP version 5 and 6 allow the user to add additional ADKs to the certificate. When a sender encrypts a message to that user, PGP will automatically encrypt the message in both the user's public key and the ADK. The idea is that the ADK belongs to the secret police, or the user's employer, or some organization, and that organization can intercept the encrypted message and read it.

A stupid idea, but that's the sort of thing that Key Escrow demands.

The flaw is that some version of PGP don't require the ADKs to be in the signed portion of the PGP certificate. What this means is that an organization can take a PGP certificate, append his ADK, and spread it out to the world. This tampered version of the certificate will remain unnoticed by anyone who doesn't manually examine the bytes, and anyone using that tampered version will automatically and invisibly encrypt all messages to the organization as well as the certificate owner.

Unfortunately, the problem won't go away until all vulnerable versions of PGP are eradicated: the sender who is responsible for encrypting to the ADKs, not the recipient.

Way back in 1998 a bunch of us cryptographers predicted that adding Key Escrow would make system design harder, and would result in even more security problems. This is an example of that prediction coming true.

cancel ×


Sorry! There are no comments related to the filter you selected.

Re:Lawsuit (1)

Anonymous Coward | more than 14 years ago | (#830465)

I was about to moderate you up, but then I felt I had to reply instead.

The fact is that this is too close to reality to be a troll, and too funny to be real.

By the way, once Judge Kaplan tells us Bruce is illegal we will all be forbidden from speaking to him.

Re:Lawsuit (1)

Anonymous Coward | more than 14 years ago | (#830466)

Why is this marked funny? This isn't funny!

Re:This was rumored for awhile (1)

Anonymous Coward | more than 14 years ago | (#830467)

The only way that this vulnerability could be used in this fashion was if the NSA broke into *all* of the central key repositories, appended ADK's to the public keys of the people they wanted to monitor, and hope that noone noticed the difference.

My questions is this: Does the ADK change the fingerprint on the key? If it does, then any responsible user of cryptography would know if their key was tampered with. Isn't that the whole point of the fingerprint being there..?

As a side note, I think the NSA doesn't slam the use of PGP because all they have to do is watch the people using PGP closer. This has always been a potential downside to crypto.. If it's use is made difficult or put on shaky legal ground, then the average citizen will be afraid to use it and only the people the NSA wants to keep an eye on will keep using it. Even if they can't read it, they can build surveilence webs by tracking who sends encrypted email to who.

"Proper" OS means one with /dev/random (1)

Anonymous Coward | more than 14 years ago | (#830468)

Hey dummy, he's right!!! Check your facts... GPG should only be used on systems that have /dev/random or some other entropy gathering device. That is, until the WIP entropy gatherer is completed that should work everywhere that doesn't have one built into the OS.

Re:Open Source at it's best (1)

Anonymous Coward | more than 14 years ago | (#830469)

You're confused. The ethos of open source is "too many cooks spoil the broth", not "many eyes make light work".

Re:GPG may not support this, but... (1)

The Man (684) | more than 14 years ago | (#830471)

GPG may not support this; however, what if a key created with GPG had this ADK appended to it and a PGP client was used to interpret and use the key?? Is there any chance in the world of general key misuse due to the fact that PGP is a rather popular client??

Yes of course. So 1) Don't use PGP5/6, 2) Don't accept anything from anyone who uses PGP5/6, and 3) Make certain all keys come from known sources.

Of course, since the vulnerable versions of PGP are the Microsoft ones, this shouldn't really be a problem. After all, nobody who uses Microsoft products is really worth communicating with anyway, securely or not.

Re:Bald-Faced Alarmism (1)

Suydam (881) | more than 14 years ago | (#830472)

This post was not about whether or not Key Escrow was good from the standpoint of privacy and/or morality. Rather, it's about a vulnerability in Key Escrow's current implementation. So frankly, I'm glad it's posted here.

Re:Open Source at it's best (1)

sheldon (2322) | more than 14 years ago | (#830474)

Too many cooks spoil the broth, but at least no one person is to blame.


GPG may not support this, but... (1)

CmdrChalupa (2516) | more than 14 years ago | (#830475)

GPG may not support this; however, what if a key created with GPG had this ADK appended to it and a PGP client was used to interpret and use the key?? Is there any chance in the world of general key misuse due to the fact that PGP is a rather popular client?? I'm no expert on key exchange, but this, to me, seems to be the case. Would someone care to correct me?? ( I truly hope I am corrected ) CmdrChalupa (Who cannot for the life of him remember how to change his sig)

Yeah, but... (1)

crisco (4669) | more than 14 years ago | (#830479)

... since GnuPG suupports the version 4 keys that are vulnerable, it supports the continued use of software that is vulnerable. I got the strong impression from the conclusion of the article that PGP Classic (2.6.x) was the only reccomended solution to use.

I know I'm going to get that baby back on my machines ASAP. Of course, I've got a feeling lots of things are going to change in another month with the patent expiration on RSA and with this discovery. But until there is a clear solution, PGP Classic works as good as ever for me.

Oh, and for you command line whimps, there are assorted PGP shells that make the entire process of key management and message signing and encryption as pointy and clicky as the current PGP for windows.

Re:Real reason we wanted key escrow (1)

hobbit (5915) | more than 14 years ago | (#830481)

That long? You must have very old hardware. Our quantum computer can factor a googleplex-digit number in under 10 picoseconds.


Re:So what's the answer (1)

CodeMonky (10675) | more than 14 years ago | (#830492)

There are better ways to do this. If it is something that important no single person should have control over it. You use secret sharing and have it so that for instance 2 of 3 keys are needed in order to decrypt the message.

GPG? (1)

ldspartan (14035) | more than 14 years ago | (#830496)

Although I don't use it very often personally, does anyone have any information as to if/how this vulnerability applies to GPG? -- Phil

Re:GPG? (1)

crow (16139) | more than 14 years ago | (#830497)

I assume GPG doesn't support key escrow. If I'm right on that, then it doesn't have the problem.

Re:Don't forget... (1)

zuffy (17881) | more than 14 years ago | (#830498)

...about that funny little graphic in the upper left-hand corner. You know, the one which says "SLASHDOT: News for Nerds. Stuff that matters."

Now, I'm going to point out that "NERDS" part and then we can start talking about what kind of humour is appreciated by the readers of this site. I thought that comment was funny, I guess you just have to go into nerd training for a while and do some background research or something like that.

Re:This is worrying, but: (1)

segmond (34052) | more than 14 years ago | (#830507)

Yes, but you don't just worry about the software you use, you also worry about the people you communicate, if someone is using the "trojaned" version and sends you an encrypted document, it is good as plaintext since someone could have intercepted the secret message as well. All versions of this software need to be secure and trusted. Not just the version you use.

Re:So what's the answer (1)

jovlinger (55075) | more than 14 years ago | (#830516)

even from earlier keys?

If later versions automagically convert older format (like the 2.6.2i I think I have) keys to new formats that would could be conceivable. However, automagically doing anything seems contrary to the whole security ethic, no?

Re:Open Source at it's best (1)

Ded Bob (67043) | more than 14 years ago | (#830527)

PGP is not open source.

It might not fit the bill according to the Open Source web site, but the source is (was) available for all to read.

Re:gpg (1)

Eponymous, Showered (73818) | more than 14 years ago | (#830532)

GPG shouldn't be used on WIN32 for example because there is no suitable source of crypto strength randomness.
What about the Windows 2000 running on a PIII. My understanding is that there is a legitimate RNG built into the PIII (or maybe it's one of the intel chipsets) I would think that this would allow GPG to be sufficiently strong on Win32 if it used the right API call for this (or can access the RNG directly)

For that matter, what make "any version of UNIX" suitably strong? Would that not depend on how /dev/random is implemented? There are a lot of flavors of unix out there. I'd be hard pressed to trust my key generation to Minix on an 8088, for example.

Re:NO! (1)

oldmacdonald (80995) | more than 14 years ago | (#830536)

I think GNUPGP users should worry too. With the caveat that I haven't looked at GNUPGP in detail, the way it sounds like this exploit works is that someone takes your PUBLIC key and adds on the ADK and then sends it around as if it were your correct public key. Anyone sending mail to you using a non-gnu-pgp will be sending vulnerable mail. So just because you have gnupgp doesn't make you safe.

Re:Lawsuit (1)

rotor (82928) | more than 14 years ago | (#830537)

Oh yeah, that would be really great. Lend more fodder to the precedent AGAINST DeCSS, and then donate the procedes to DEFEND DeCSS. The process would do a hell of a lot more for the MPAA than for the EFF.

Re:who the hell thinks this is funny? (1)

rotor (82928) | more than 14 years ago | (#830538)

What's wrong with Henny Youngman jokes?

You want geek laughs and Henny Youngman?
"... Take Windows 2000... Please!"

Re:who the hell thinks this is funny? (1)

Nezumi-chan (110160) | more than 14 years ago | (#830541)

oh, but then again, these are the same people who think user friendly is funny.

Not me. I realize the truth.

User Friendly is a documentary.

Re:Bald-Faced Alarmism (1)

-brazil- (111867) | more than 14 years ago | (#830544)

You're wrong. There *was* a new flaw discovered in the key escrow mechanism of PGP that made it vulnerable to *anyone*, not just those with a "legitimate" third party key. Read the post.

Correction... (1)

Andy_R (114137) | more than 14 years ago | (#830545)

Someone claiming to be (but we can't be 100% sure) Will Price, Director of Engineering, PGP Security, Inc. ... ;-)

Re:Lawsuit (1)

systemapex (118750) | more than 14 years ago | (#830549)

Your comment is so funny because it is so true. I say a class action suit is in order. Proceeds go towards funding the DeCSS defense!

Re:ADK? Disturbing. (1)

pallex (126468) | more than 14 years ago | (#830553)

Its your public key. So attackers can snoop on mail addressed TO you, not from you.

Re:Bald-Faced Alarmism (1)

lurker786 (128178) | more than 14 years ago | (#830554)

No, this is not an old issue. The point is *not* that your employer/the CIA/X can read your email (scary though it may be).

The point is that JoeHacker(anyone) can modify your public key so that *he* can read your mail. Big diff.

Re:This was rumored for awhile (1)

pointym5 (128908) | more than 14 years ago | (#830555)

Why was that moderated up to "informative"?!?

why not (1)

ArchieBunker (132337) | more than 14 years ago | (#830557)

Just rot-13 it? They will spend months trying to figure out what forms of encryption you used.

Re:"Proper" OS means one with /dev/random (1)

ssimpson (133662) | more than 14 years ago | (#830563)

Phew, someone else can RTFM ;)

Re:gpg (1)

ssimpson (133662) | more than 14 years ago | (#830564)

GPG doesn't suffer from this problem. It is stable, useable and uses the same ciphers (and more...) that NAI/PGP uses.

The only problem with GPG is that it should only be used under "proper" operating systems (e.g. any version of UNIX).

Re:Bald-Faced Alarmism (1)

ssimpson (133662) | more than 14 years ago | (#830565)

BUZZZ...You're plain wrong I'm afraid.

This story isn't discussing the use/deployment of ADK, but rather that someone can add an ADK packet to any PGP key without corrupting the key or alerting the software: the ADK packet isn't covered by the hash function.

Key escrow good or bad is an interesting topic, but this story is about a damn big hole.

Re:A bit of pedantry (1)

Mr. Adequate (138862) | more than 14 years ago | (#830567)

Why did you have to go and do that? Now we can look forward to an "US vs. Rest Of World" flamewar along with the "Many Eyes Of Open Source" one.

OTOH, we could go all out and add Perl vs. Python. And I think it's been a full two stories since the last Gnome vs. KDE one. And maybe emacs vs. vi also fits in there somewhere (doesn't emacs have a GPG whatsit?).

OTTH, let's not and pretend that we had.

Look at the name (1)

funk_phenomenon (162242) | more than 14 years ago | (#830571)

It's called Pretty Good Privacy. I mean, the name was its fate. Guess it applies truly now though. It sounds funny when it applies to other areas, such as Pretty Good Security, or Pretty Good Doctor, though. I know the name has nothing to do with the way it works (well now it does), but it's a good note.

Also, there was a question on Jeopardy in The Internet category on what PGP stood for, last night. Interesting.

Even the samurai
have teddy bears,
and even the teddy bears

Re:You just thought you were safe! (1)

sqlrob (173498) | more than 14 years ago | (#830579)

Yeah, right

So you are a cryptologist that can guarantee you didn't somehow weaken the algorithm with a bad key choice or rounding error?

I know I'm not. That's one reason I haven't done cryptography software.

Implications for digital signatures? (1)

saforrest (184929) | more than 14 years ago | (#830591)

What are the implications of this vulnerability for digital signatures?

The standard thing to do when Bob is "signing" a message is for Bob to encrypt it with his private key. Then when Jill gets the message, she decrypts it using Bob's public key, and therefore knows it's from him.

Now, if Jill is using a hypothetical hacked up version of Bob's public key, does this mean that Joe Random Hacker can send messages that appear to come from Bob, since the public key is associated both with Bob and the Joe's bogus "ADK"?

Re:So just use "authorized" keys. (1)

nestler (201193) | more than 14 years ago | (#830595)

Just make sure, when you get someone's public key, that it comes from an "authentic" source

This is potentially bad reasoning.

The whole problem with this vulnerability is that it is difficult to detect if someone has altered a V4 public key with an ADK because one of the places for inserting ADK's is not included in the checksum (fingerprint) of the key. So they key will appear to be perfectly self-signed even after tampering.

If you mean by "authentic" source, that your trusted friend emails you his key, this is not safe. Email is alterable. An adversary can insert an ADK into the mailed key, that will not be visible to you without specific scrutiny with a hex editor or special GPG incantations.

Use GPG (or PGP 2.6) with old style V3 keys to prevent all of these attacks.

I'm not panic (1)

tswinzig (210999) | more than 14 years ago | (#830597)

Or did you mean to say:

"Those of you who aren't, panic."


(GrammarNazi eat your heart out!)

Who is this mysterious we? (1)

sips (212702) | more than 14 years ago | (#830598)

Really, do you actually work for the NSA unlikely at all.

My understanding is that the military controls.. (1)

sips (212702) | more than 14 years ago | (#830599)

their nuclear devices with on site control systems that no one has access to. I believe that the "football" that the president has is just a ploy. Only an idiot would hook up nuclear weapons control systems to the internet.

It's a matter of trust (1)

sips (212702) | more than 14 years ago | (#830601)

People should realize that the most potent form of use that pgp/gpg has are their use of webs of trust. Also you should get the public key that the person is expecting from that person. Anything else is open to fraud.

Well not involving it (1)

sips (212702) | more than 14 years ago | (#830602)

Ever heard of a little technique like they used in "A Cask of Amantalado" by Edgar Allen Poe. Classic revenge, nicely done.

Or get someone else to sort through it (1)

sips (212702) | more than 14 years ago | (#830603)

Most people don't have time to sort through thousands of lines of code looking for the little nasties. I doubt many people do even in the code business.

Re:incredible prediction (1)

SecurityGuy (217807) | more than 14 years ago | (#830607)

Congratulations on your fine grasp of the obvious. Please realize that policy makers, whether corporate or governmental, don't always have the background to recognize what you see as obvious. There's been a deluge of "Just do $FOO!" solutions of late, most of which are obviously flawed. These range from adding a "V chip" to consumer electronics to remedy deficient parenting, attempts to regulate internet content (again, to remedy deficient parenting), suing person A because person B used A's service to commit a crime (hi, MPAA & RIAA!), to making it more difficult for law abiding citizens to protect themselves (you DO have a right to do this, you know) while failing to prosecute and adequately punish criminals. Web "privacy" is addressed by privacy policies which nearly always say "This policy grants you no rights, and we can change it whenever we want anyway." None of these solve the underlying problem, but are used in spite of "obvious" flaws because it was easier than fixing the problem correctly or has good PR value.

There are quite a few out there who don't understand that system complexity correlates negatively with system security. Yes, it's obvious, but say it often and to anyone who will listen. When *everyone* notices the obvious statements, then you can stop.

Not a problem with PGP (1)

jabber01 (225154) | more than 14 years ago | (#830610)

If I understand this correctly, this is not a problem with PGP per se, but rather with the corporate/government backdoor extension into PGP. PGP itself is sounds as stone, but yet another hack, intended to give enquiring minds a means to know has it's pants down.

As I understand the 'extended' scheme, there are actually two copies of the message in the PGP ciphertext. One is encoded with MY key, and is safe, and the other is encoded with Their key - which in some versions is not secured properly and may be compromised.

The workaround seems simple enough: pre-encode my message before giving it to the 'weak' version of PGP; this way, if Their version of the key is bogus, all that an eavesdropper can get is my original cipher. Or is there a problem with doubly-encoding a message with My key?

The REAL jabber has the /. user id: 13196

Re:Open Source at it's best--not (2)

Anonymous Coward | more than 14 years ago | (#830612)

The #1 problem with the "million monkeys" model of software development and testing is that all it does is deliver, in a short amount of time, code created by monkeys.

I'd much rather have a smaller number of people working much more intensively on something, ala the ongoing OpenBSD security audit, to catch problems before anyone is burned. "Sure, the bridge fell down, but look at how quickly we re-engineered and rebuilt it!" is cold comfort to those who were on the bridge when it collapsed.

That's why I'm part of the GNU Generation. . . (2)

SgtPepper (5548) | more than 14 years ago | (#830620)

Need I do more then post this link? []

Re:Sue Him ! (2)

arivanov (12034) | more than 14 years ago | (#830626)

Why funny? This is actually bloody right on target:

He has illegally circumvented a carefully designed protection mechanism !

Re:Hold on (2)

arivanov (12034) | more than 14 years ago | (#830627)

No you are not. I will like to add that:
  • This one of the reasons that people still stick to RSA keys and PGP 2.6x. See OpenBSDs Theo de Raadt key for example.
  • Get your current key from a public keyserver and carefully check it. With GPG. It should contain only sigs and self-sigs. There should be no complains on unknown packets as well.

Win32 (2)

Pope Slackman (13727) | more than 14 years ago | (#830629)

>NONSENSE! GPG is released under the GPL. You can port it to any operating system you want. Why >don't you check your facts before posting to this site? Oh, I forgot, this is /. Never mind.

I don't think that's it at all. The previous poster was probably thinking of this-

From readme.w32 in the GPG W32 ALPHA release:
This is an alpha release of GnuPG for MS-Windows and WNT.
The random number generator should now work but has not undergone
a thorough testing, so we won't say anything about the quality of
the generated key and suggest that you don't use this version with
your production secret keys!

The new version of GPG (1.0.2) doesn't have this warning though, so I'd imagine they've validated the RNG.


// \\
/( )\

Any known exploits? (2)

crow (16139) | more than 14 years ago | (#830630)

Is there any evidence of this being used in the field? Obviously people have tested the bug once it was reported, but has anyone used it in evesdropping?

It should be easy enough to write a program to check to see if any archived mail has the extra keys.

Called Them (2)

augustz (18082) | more than 14 years ago | (#830632)

Forwarded, forwarded and forwarded again. Sales forwards to technical support forwards to sales. PGP has no problems, no there are no alternatives to PGP.

If anyone else thinks they will have better luck give them a call at 888-347-3925, would love to hear their perspective.

So what's the answer (2)

Gallowglass (22346) | more than 14 years ago | (#830634)

If I read this correctly, only some versions of PGP have this problem with the ADKs. So does anyone know which ones have this problem? Or (better) which ones don't have this problem.

And am I correct in my assumption that PGP remains OK as long as you don't create an ADK? Or am I misreading the message?

As to it being a stupid idea, I have to disagree. There are cases where it is important to allow someone else access to the data. For example, in business affairs. If the holder of say the secret ingredients to Drambuie (nectar of the Gods, yum, yum!) had the recipe encrypted and suddenly dropped dead, what then? If the only copy is encrypted and no-one else has the key, then the recipe is lost and the company folds.

And this is different exactly how from ... (2)

overshoot (39700) | more than 14 years ago | (#830637)

someone passing around a modified version of PGP which surrepetitiously compromises the security of the message in some other way?

For instance, if my system admin put an altered PGP binary on the network which passed copies of the plaintext to a logfile, I would be at least as hosed. And it would be a lot less work for the Company. Similar exploits abound; after all how many of us actually read all of our source line-for-line?

In this case, the corrupted code came from NSI. (And you decided to trust NSI, of all people, because...?)

Re:gpg (2)

radja (58949) | more than 14 years ago | (#830638)

ok, this may not be true, but...

when pgp went corporate, some companies wanted a backdoor to their worker's email. So this was built in. gpg on the other hand is not written with companies in mind, it was written with privacy in mind. I would be surprised if gpg had this vulnerability too.


Re:This is worrying, but: (2)

pi31415 (60856) | more than 14 years ago | (#830639)

Remember, in an exchange of information, you are vulnerable if you or your correspondent uses vulnerable software. A public key generated by GPG is can still be compromised, and messages a correspondent sends to you (possibly containing your own sensitive information) may be intercepted if they are using one of the vulnerable Windows versions of PGP.

So, while it isn't time to panic, it's important to keep in mind that both ends of the channel need to be secure for the information transmitted through it to be secure. We can't be complacent just because we're using free software.


Re:Answers about GnuPG (2)

pete-classic (75983) | more than 14 years ago | (#830643)

I don't know squat about cryptography, but it seems like key generation is only half the problem.

The other half is that a reliable PGP implimentation should refuse ENcrypt using a public key with unsigned ADKs.

I am pretty concerned about this, because I have to rely on SOMEONE ELSES (possibly compromised) key to protect what I say.

Or am I off base here?


Re:This was rumored for awhile (2)

rakslice (90330) | more than 14 years ago | (#830647)

They wouldn't really have to "break into" them... Anyone can re-upload a key, right?

GnuPG not vulnerable (2)

adric (91323) | more than 14 years ago | (#830648)

According to the posting [] at Cryptome [] , GnuPG 1.0.1 is not vulnerable. I'd assume that applies to all of the older versions as well.

You CAN fix this on the client... (2)

ugen (93902) | more than 14 years ago | (#830649)

Inasmuch as client (recipient) will have to be fixed in a following way:

a) Alert you every time someones certificate is used if it contains any additional keys.
b) Have an option of ignoring such messages.

You still have to notify the author that he is using a compromised certificate so the problem isnt entirely solved but it will be clearly visible.

This was rumored for awhile (2)

Smitty825 (114634) | more than 14 years ago | (#830650)

If I remember correctly, this was rumored that the NSA had found a way to break the PGP encryption. That's probably why they haven't discouraged the useage of it all of these years...

Re:gpg (2)

bXTr (123510) | more than 14 years ago | (#830653)

GPG ... uses the same ciphers (and more...) that NAI/PGP uses.
No, it doesn't! PGP uses proprietary patented algorithms. GPG doesn't, never has and never will. THAT'S why it's superior to PGP. The only problem with GPG is that it should only be used under "proper" operating systems (e.g. any version of UNIX).
NONSENSE! GPG is released under the GPL. You can port it to any operating system you want. Why don't you check your facts before posting to this site? Oh, I forgot, this is /. Never mind.

ya know (2)

fluxrad (125130) | more than 14 years ago | (#830655)

I was thinking...the best way to get the government to realize that the vast majority of lawsuits are stupid and frivolous...and, more importantly - to get them to do something about it - is to have everyone we know file lawsuit against everyone else they know. but then i realized...


After 16 years, MTV has finally completed its deevolution into the shiny things network

Re:Open Source at it's best (2)

ssimpson (133662) | more than 14 years ago | (#830658)

Bzzzzzzt. Wrong. PGP is open source. See for example and download your own copy..........

Re:gpg (2)

ssimpson (133662) | more than 14 years ago | (#830660)

I wrote: GPG ... uses the same ciphers (and more...) that NAI/PGP uses.

You wrote: No, it doesn't! PGP uses proprietary patented algorithms. GPG doesn't, never has and never will. THAT'S why it's superior to PGP.

PGP v5 onwards has implemented CAST & 3DES and DH/DSS as the asymmetric cipher - all non-proprietary. You may be refering to PGP v2.x - but that version doesn't suffer from these ADK problems and is thus totally unrelated to this current discussion...

I wrote: The only problem with GPG is that it should only be used under "proper" operating systems (e.g. any version of UNIX).

You wrote: NONSENSE! GPG is released under the GPL. You can port it to any operating system you want.

Have you ever used / installed GPG? If you read the documentation and source code is clear and obvious that GPG needs a decent source of randomness. GPG shouldn't be used on WIN32 for example because there is no suitable source of crypto strength randomness.

You wrote: Why don't you check your facts before posting to this site? Oh, I forgot, this is /. Never mind.

Coming from someone you clearly writes from a position of gross ignorance?

PS: Read my writings on GPG/PGP at: if you doubt my credentials.

Secrecy: we need privacy and protection from THEM (2)

Frank T. Lofaro Jr. (142215) | more than 14 years ago | (#830662)

  • Privacy. Want us to see EVERYTHING (and I mean EVERYTHING) you do?... Didn't think so.
  • Because so many things that shouldn't be illegal, are. Because so many things you have the moral right to do will still get you punished (harrassed, fired, sued, imprisoned, assassinated, etc). If you say something The Man doesn't like, you might really begin to appreciate secrecy.

Re:You just thought you were safe! (2)

Frank T. Lofaro Jr. (142215) | more than 14 years ago | (#830663)

And unless you know a hell of a lot of intricate high-level mathematics, the NSA breaking your code will be the LEAST of your problems. Probably any halfway decent cryptoanalyst could break your code trivially.

Crypto ain't easy folks.

Re:This was rumored for awhile (2)

Ig0r (154739) | more than 14 years ago | (#830665)

The encryption algorithms weren't 'broken', it's a bad implementation of key escrow (which is a dumb idea to begin with).


Re:Hold on (2)

nestler (201193) | more than 14 years ago | (#830669)

You are slightly wrong.

I you use an old V3 RSA key (the ones that PGP 2.6 creates), then there is no way they are inadvertantly encrypting stuff that an adversary can read (while thinking it is to you).

Ir you are using a new-style key (v4 of any of the two crypto algorithms), then your analysis is correct. Someone with the broken software may inadvertantly send mail thinking that it is only readable by you, when in fact it is readable by anyone who tampered with their copy of your public key.

This is very much worth knowing with all of the misguided "I use GPG so I am safe" posts floating around. Only old V3 keys are safe from other peoples' bunk software.

Re:That's why I'm part of the GNU Generation. . . (3)

Sneakums (2534) | more than 14 years ago | (#830674)

From what I can make of the section regarding GnuPG, it doesn't warn about the presence of the ADK. However, it places but one session key in the cryptogram, a key only recoverable using the user's private key.

But if you get a contaminated version-4 public key, GnuPG will not warn you about it. You should check any and all public keys that you use as decribed in the article. I'm sure the GnuPG team will not be long in adding functionality to do this automatically.

"Where, where is the town? Now, it's nothing but flowers!"

Hold on (3)

jaa (22623) | more than 14 years ago | (#830676)

I keep hearing that this version is unaffected, and that version is unaffected. Aren't all of us affected:

"the sender who is responsible for encrypting to the ADKs, not the recipient."

Thus, if someone with a broken version of PGP sends me encrypted email, they might also encrypt to an adversary. Am I missing something?

Re:Open Source at it's best (3)

MartinG (52587) | more than 14 years ago | (#830678)

PGP is not open source.
GPG, the GNU equivalent of PGP _is_ open source, and does not have this vunerability.

As for the police here in the UK, thats a whole other story, and if you ask me Mr Straw has no idea what problems he is creating for the police in the long term with his RIP bill either... but that's another story for another day.

Re:ADK? Disturbing. (3)

Hugh D. Hyatt (94194) | more than 14 years ago | (#830681)

I just looked in PGP Help. Here's what the item on 'additional decryption keys' says:

About Additional Decryption Keys

Additional Decryption Keys are keys that allow the security officers of an organization to decrypt messages that have been sent to or from people within your organization. There are two types of keys: incoming additional decryption keys and outgoing additional decryption keys .


Although the security officer should not ordinarily use the Additional Decryption keys, there may be circumstances when it is necessary to recover someone's email. For example, if someone is injured and out of work for some time or if email records are subpoenaed by a law enforcement agency and the corporation must decrypt mail as evidence for a court case.

© 1999 Networks Associates Technology, Inc.

Re:So just use "authorized" keys. (3)

ssimpson (133662) | more than 14 years ago | (#830682)

ARRGH! Wrong!

This is a hole, a bug, a failiure. It's easily countered by including ADK information in the hashed/signed portion of the key.

This discovery means that EVERY key on public key servers is potentially broken. Hell, any naive users key could have this ADK packet and not even be aware! Using "authorised" keys, whatever that means, isn't a solution.

Sounds like a good job for a virus or IRC bot (3)

dpilot (134227) | more than 14 years ago | (#830683)

Scan for unsigned ADKs and report them back to the (supposed-to-be) owner, as well as the current holder. For that matter, scan for signed ADKs, as well, and report them, too.

It can't really be a virus or IRC bot, but why not a snipped of open source code. Get it out, and everyone scan every key they hold. Scan every key that you know you've put somewhere. Scan every key you use to send. Scan every key you touch.

For that matter, wrap it in with GPG.

While we're at it, send upgrade notices back to anyone who uses the wrong version of PGP to send us mail. Stomp it from the face of the Earth.

So just use "authorized" keys. (3)

saforrest (184929) | more than 14 years ago | (#830684)

I agree this is a problem, but it doesn't render PGP useless.

Just make sure, when you get someone's public key, that it comes from an "authentic" source.

Sue Him ! (3)

Fruny (194844) | more than 14 years ago | (#830685)

He has illegally circumvented a carefully designed protection mechanism ! His discovery will cause bazillions of dollars to be lost to crime and piracy.

Worse even, sites such as Slashdot freely link to this information, destroying a successful business model (namely e-commerce) !

Don't let him get away with it, protect our right to profit !

And while you are at it, imprison all mathematicians who might find ways to break our precious cipher systems by finding a way to factor large numbers

(Sounds stupid, but wouldn't there be legal action in such a case ?

Re:Look at the name (3)

Whistler007 (213845) | more than 14 years ago | (#830686)

There's probably more truth to that than you might suspect. Encryption using PGP is inherently more complex. Since it requires two keys, as opposed to one key in traditional crypto, the math gets a lot more complicated. You can't just use a reversible function.

While there haven't been any real structural attacks to PGP, up until this, it is theoretically more likely that structural attacks will work against PGP than standard crypto. Perhaps the NSA has already found a way? Also, traditional PGP uses the RSA encryption algorithm, which, if you follow, gets brute-forced regularly. If you really are scared of the government reading your email, then I doubt PGP will put your fears to rest.

Re:So what's the answer (4)

Sneakums (2534) | more than 14 years ago | (#830687)

And am I correct in my assumption that PGP remains OK as long as you don't create an ADK? Or am I misreading the message?

The problem is that anyone can add an ADK to a public key without affecting the key's fingerprint. In other words, it is perfectly possible for someone to set up a keyserver that adds an ADK for themselves to each key uploaded, and no-one will by any the wiser, unless they examine the key closely.

How they get their hands on the mail encrypted using those keys is of course outside the scope of this post.

Idea: A company could set up an internal auto-ADK-adding keyserver for its employees to use, and of course they have access to the outgoing mail spool.

"Where, where is the town? Now, it's nothing but flowers!"

Re:GPG? (4)

SgtPepper (5548) | more than 14 years ago | (#830688)

It shouldn't, at all.

GPG [] is based on the OpenPGP standard ( RFC 2440 [] ) which doesn't, AFAIK, include "Key Escrow" or "ADK". PGP [] seemes to have "added" this feature, perhaps this is what the mean by "multiple recipents" in the E-business product. []

Of course I could be wrong, but that's the way it looks to me :)

Re:This is no surprise (4)

arivanov (12034) | more than 14 years ago | (#830690)

You forgot to add:
  • deliberately made a mostly winshmoze system that does not work or does not even compile on alpha, mips and most 64 bit systems.
  • replaced working random number generation with stuff that just does not work.

Not new or secret (4)

Mr T (21709) | more than 14 years ago | (#830691)

This is a bug. The fact that you can modify an existing key is a serious oversight.

There was a great deal of arguing and discussion in cryptographic circles when this came out. The gist of it is that when you email something from work, you're employer can get sued for it, so employers want the capability to read that email, they are legally entitled to in the US. So they added "enterprise" or "corporate" support to PGP. In the business world it makes more sense then you think, they can also recover messages if you're harddrive crashes and takes your secret key away. If PGP is to ever take hold in that market, and PGP is about making money anymore, then it needs this so called ADK feature.

DO NOT FEAR. KEEP USING PGP and GPG if you're one of the 2% who do! If they include the ADK within the key signature then the problem goes away and it works as designed. ADK is a good thing because it makes the product usable in markets it would otherwise never make it. My fear is that this will be treated like Clipper was, and for some reason people get paranoid about having encryption where an authoirzed third party can decrypt your transimition so the proper thing to do is keep using no encryption because that is some how better.

As a former one of the original cipherpunks and a crypto freak I'm also beginning to come around on escrow and key certifcation services. I've built a key database starting with my keys and the linux kernel key. I only added signers of keys to until the database was 4000 keys or so. "The web of trust" doesn't work, there are lot's of fraudulent and dead keys in there and they are signed by someone who was trusted enough to sign the kernel key, or someone who was trusted enough to sign the key of one of the signers of the kernel key. I only went out 3 hops from the kernel key when I was making the database. If you play 6 degrees of Kevin Bacon with PGP keys and start with Linus and the kernel key you get to a bunch of trash really quickly. (this was all done with Example: Gandhi (yes, at has signed Dave Del Torto's key who has signed Theo Ts'o's key who is a kernel hacker and has signed the Kernel key. There is nothing that prohibits anyone from signing another key, so essentially you can't trust a key simply because it was signed by somebody. The web is a direct graph and the arrows point the wrong way, you can only trust keys you trust enough to sign and you can't draw any conclusion from someone else's signature being on a key. There is also a tremendous amount of garbage in the web of trust.

The only solution to this is a certified key authority. The problem with that is they are a business (better than a governement agency) and they will want to use ADK to cover their ass. I think the risk can be managed to a reasonable point by having multiple companies with checks and balances. I would use a key authority if, a) it was seemless and all my email was encrypted with said key and b) key authority couldn't decrypt my key but a 3 party might be able to with a court order. I still wouldn't use it for encrypting my confessions of sexual peccadillos or my plans to over throw the government but it would be more than acceptable for email which is largely unencrypted now. (So not just can the govenrnment read it but your neighbors, your employer and foreign governments can all read it too.) As it stands, if I was told by a court to decrypt my email and there wasn't an ADK capability, I would go to jail for contempt until I did, so when it comes down to it, if some one wants to forcably read your email and a court agrees you're going to lose that battle either by decrypting it or by going to jail and testing your will.

This isn't a real problem (4)

GavK (58709) | more than 14 years ago | (#830692)

This doesn't affect anyone who uses the correct method of getting a public key. AKA EMAIL (At worst)

It's only keyservers that this could occur on. Personally I keep mine on my web pages [] , anyone who wants to mail me securely uses that, or the one I mail them...

Rule: Only use keyserver keys for verification of an unknown source, and even then, if it's important don't trust it...

EG I get the CERT key from their web site []

It's your security people, don't give it to someone else...

Re:GPG? (4)

Greyfox (87712) | more than 14 years ago | (#830693)

It looks like GPG can also be used to check a message to see if it's been encrypted to additional keys, although the method to do so is fairly complex. Perhaps the GPG guys should move this functionality up a bit and print a warning if you're decrypting a message that was encrypted to additional keys.

Can we ask someone within PGP? (4)

hvoss (91741) | more than 14 years ago | (#830694)

Does anybody have a good contact within PGP (pref. close to Phil Zimmerman) and get them to comment on this? (Like how can this be detected, other ways to safe guard against this.... etc.).
Hans Voss

Re:GPG? (4)

-brazil- (111867) | more than 14 years ago | (#830695)

The answer seems to be this: If you use GPG for *encryption*, then it's not vulnerable. But if you use if for *decryption*, then it is, since the person who encrypted the mail could have used normal PGP with the vulnerability.

ADK? Disturbing. (4)

setecastronomy (116560) | more than 14 years ago | (#830696)

Maybe I completely missed the blaring announcements, but why is it that this is the first time that I'm hearing about this ADK 'feature?' If my version of PGP is automatically including an extra key along with my own, so that the government can snoop on my encrypted mail, it should be made blatantly clear, every time I generate a key. Or maybe I'm missing something obvious?

This is no surprise (4)

Randseed (132501) | more than 14 years ago | (#830697)

This is absolutely no surprise. It's also inconceivable that this is simply an honest bug. It's a backdoor.

PGP 5.x was, is, and will continue to be a screwup.

They deliberately changed the command line interface to break every PGP-interoperable tool out there.

They released the Windows version months before the UNIX version.

When they finally were releasing the UNIX versions, they were binary-only.

Eventually, they got around to releasing the source code to the world. This was supposedly because of legal concerns, but that explanation doesn't really hold water. The binaries were released and restricted to the U.S. The source code was written in book form and exported, then to be scanned in, which was legal. Of course, the binaries made it out of the U.S. in about 45 minutes. The source code could have easily been released and restricted to the U.S., but wasn't. This didn't sound right at the time either.

They deliberately broke interoperability with older versions of PGP, which in effect forced people to upgrade. Because they didn't release source code, people were upgrading with binary-only versions.

Anybody searching the Cypherpunks archives from around the time PGP 5.0 was released can find several large threads on these topics.

So, again, it doesn't come as a surprise that PGP Incorporated is a government shill organization, particularly after they joined the KRAp.

Screw them. They and the government can go fuck themselves.

Re:Can we ask someone within PGP? (4)

ssimpson (133662) | more than 14 years ago | (#830698)

Will Price, Director of Engineering, PGP Security, Inc. has been alerted and is looking into it - he expects to report back to PGP-USERS mailing list Thursday.

Re:GPG? (4)

ssimpson (133662) | more than 14 years ago | (#830699)

This doesn't apply at all to GnuPG - it doesn't recognise the ADK packet (and it shouldn't - RFC2440 specifies that this packet is simply "placeholder for backward compatibility".

This is worrying, but: (4)

phaze3000 (204500) | more than 14 years ago | (#830700)

GNUPG [] isn't affected - so those of us who like a software free-as-in-speech don't have an problem.

It can only affect you if you get a key from an untrusted source. For most /.ers this won't be an issue.

So basically, don't panic just yet. Of course, this will no doubt start a number of 'many eyes of open-source' arguments.

Would Updating Keyservers Help? (5)

Brian Ristuccia (2238) | more than 14 years ago | (#830701)

Wouldn't the impact of this vunerability be reduced significantly if the various public keyservers were reconfigured to reject keys uploaded with unsigned ADK's?

Re:ADK? Disturbing. (5)

benedict (9959) | more than 14 years ago | (#830702)

You misread. PGP is not generating an ADK. PGP is *accepting* ADKs that are attached to public key certificates but not signed by the issuer of the certificate.

Here is the exploit sequence: you issue a PGP certificate, containing your public key. You may be not be running a version of PGP with the bug, it doesn't matter. Joe Evil attaches another public key to your certificate as an ADK, and passes it around. Someone who is running the vulnerable PGP uses your certificate to encrypt a message to you. However, they *also* make a copy encrypted with Joe Evil's public key! And they won't even know it unless they examined your certificate manually. Now Joe can read their message.

So the problem here isn't that PGP is attaching an ADK, but rather that someone could later attach an ADK and the tampering would be not detected by someone using the certificate to communicate with its issuer.


Explanation of the problem (5)

sde1000 (10806) | more than 14 years ago | (#830703)

The reason that this vulnerability in PGP is serious is that you can't fix it by updating your copy: you have to ensure that everybody who might send you encrypted messages has a copy of PGP without the ADK bug. This is difficult, especially when you don't know who your correspondants are going to be ahead of time.

Here is a summary of Ralf's paper that I wrote while reading it yesterday:

When a PGP key-pair is generated, the public key is stored in a file as a number of typed 'packets': the key itself, a userid, etc. One of these packets is a signature of the previous packets made with the private key, to bind them together (so that, for example, the userid cannot be changed).

In PGP version 3 files, it's as simple as that.

In PGP version 4 files, the signature packet contains some extra fields: two sets of 'subpackets'. One set of subpackets is included in the hash, and therefore cannot be tampered with. The other is not included in the hash.

Some versions of PGP allow "Additional Decryption Keys" to be specified for public keys. They are specified by including the additional key identity in a subpacket in the signature. The idea is that when you create a key pair and sign the public part, you sign the identities of any ADKs that you want to use. This is supposed to prevent ADKs from being specified without the consent of the holder of the private key.

Unfortunately, some versions of PGP respond to ADK subpackets in the non-hashed part of the signature. This is a blatant bug. They treat them exactly as if they were hashed, i.e. they show up as ADKs in the list of 'key properties', and messages encrypted to the public key include packets allowing the session key to be obtained by holders of the ADKs.

Tested versions of PGP:

  • PGP-2.6.3ia UNIX (not vulnerable - doesn't support V4 signatures)
  • PGP-5.0i UNIX (not vulnerable)
  • GnuPG-1.0.1 UNIX (not vulnerable - doesn't support ADKs)

The problem won't go away until all vulnerable versions of PGP are retired, since it's the sender who is responsible for encrypting to the ADKs, not the recipient.

As far as I can tell, nobody has done the experiment of uploading a modified signature packet to a keyserver yet - will it replace the existing signature packet, or be ignored? (Or possibly be stored in addition, in which case more experiments need to be done: what will various versions of PGP do if given keys with multiple self-signatures?)

More followup: I've found the bug in the PGP-6.5.1i-beta2 source code. I'm fairly sure it will be identical in all the other vulnerable versions.

In file libs/pgpcdk/priv/keys/keys/pgpRngPub.c, I see two functions: one called ringKeyFindSubpacket(), which finds a subpacket from a self-signature packet, and ringKeyAdditionalRecipientRequestKey(), which uses ringKeyFindSubpacket() to search for ADK subpackets.

ringKeyFindSubpacket() is declared as follows:

PGPByte const * ringKeyFindSubpacket (RingObject *obj, RingSet const *set, int subpacktype, unsigned nth, PGPSize *plen, int *pcritical, int *phashed, PGPUInt32 *pcreation, unsigned *pmatches, PGPError *error);

In particular, the "phashed" parameter is used to return whether the subpacket was in the hashed region. Now, looking at the call in ringKeyAdditionalRecipientRequestKey() I see this:

krpdata = ringKeyFindSubpacket (obj, set, SIGSUB_KEY_ADDITIONAL_RECIPIENT_REQUEST, nth, &krdatalen, &critical, NULL, NULL, &matches, error);

...the "phashed" value isn't checked (or even asked for)!

Ok - it's an obvious implementation bug, and the bug itself should be easy to fix. I won't comment on the wisdom of designing in ADKs in the first place; the problem now is, how do we get everyone to replace their vulnerable copies of PGP? And, since that won't ever happen completely, how do we minimise the remaining problem?

It should be easy to spot keys that have been tampered with: use gpg --list-packets and look for ADKs in the unhashed section of the self-signature. You can also check to see whether you are receiving messages that have been encrypted to more than one recipient: look for multiple session key packets.

Finally, I recommend that regular sweeps are made of the public key servers for keys that have been tampered with.

Lawsuit (5)

bwt (68845) | more than 14 years ago | (#830705)

I have copyrighted works under protected with PGP. I did not concent to the TPM I use being circumvented. Bruce's description of this vulnerability is clearly a circumvention technology that will be used to pirate my work and is thereby illegal under the DMCA.

I'm going to file a lawsuit against Bruce and Slashdot and anyone who links to Slashdot and anyone who reads the article and anyone who points at or otherwise refers to a person who reads the article. In fact, Bruce himself is circumvention technology, so I'm suing his parents, too, along with the major airlines, both of which have distributed Bruce.

You're too late (5)

Vanders (110092) | more than 14 years ago | (#830707)

We have already read all of your Emails. Thank you for your cooperation. Please stay in your seat, someone will soon arrive to collect you for processing. Yours,


Re:So what's the answer (5)

ssimpson (133662) | more than 14 years ago | (#830708)

If I read this correctly, only some versions of PGP have this problem with the ADKs. So does anyone know which ones have this problem? Or (better) which ones don't have this problem.

From the authors original message:

PGP-2.6.3ia UNIX (not vulnerable - doesn't support V4 signatures)

PGP-5.0i UNIX (not vulnerable)



GnuPG-1.0.1 UNIX (not vulnerable)

And am I correct in my assumption that PGP remains OK as long as you don't create an ADK? Or am I misreading the message?

NO! The problem is that ANYONE can create an ADK on the end of your existing PGP public key!

Re:ADK? Disturbing. (5)

ssimpson (133662) | more than 14 years ago | (#830709)

ADK has been a part of the NAI PGP implementation since v5 (e.g. 3 years ago).

There was a lot of arguing about including this feature, it's been documented in the user manual since v5, it's been talked about on newsgroups etc and it's been documented quite widely.

One saving grace is that the PGP standard (RFC2440) DOESN'T include this feature - so the problem should be fairly confined to users of NAI/PGP.

Again an example of Free OSS being better than the commerical alternatives? ;)

I'm really surprised that anyone who follows PGP to any degree has failed to notice? Anyway, it's documented in my PGP DH vs PGP RSA FAQ at:



Answers about GnuPG (5)

ssimpson (133662) | more than 14 years ago | (#830710)

See below a message from A.Back. Basically GnuPG is NOT a victim of this "attack".

> -----Original Message-----
> From: Adam Back []
> Sent: 24 August 2000 15:12
> To:
> Cc:;
> Subject: Re: Serious bug in PGP - versions 5 and 6
> Ross Anderson writes on uk-crypto:
> > Ralf Senderek has found a horrendous bug in PGP versions 5 and 6.
> >
> > [...]
> >
> > He's written a paper on his work and it's at
> >
> >
> >
> > Since NAI joined the Key Recovery Alliance, PGP has supported
> > "Additional Decryption Keys" which can be added to a public key.
> >
> > The sender will then encrypt the session key to these as well as to
> > your main public key. The bug is that some versions of PGP respond
> > to ADK subpackets in the non-signed part of the public key data
> > structure. The effect is that GCHQ can create a tampered version of
> > your PGP public key containing a public key whose corresponding
> > private key is also known to themselves, and circulate it. People
> > who encrypt traffic to you will encrypt it to them too.
> Amazing, and really unfortunate. Those of us who invested large
> amounts of effort in ensuring the ADK subpackets were not included in
> the ietf openPGP standard can be pleased we succeeded -- otherwise
> gnuPG and other implementations may now also have contributed to this
> risk. As it is gnuPG doesn't honor ADK requests, and all the rfc2440
> says about them is:
> 10 = placeholder for backward compatibility
> At the time I was suggesting that if PGP really must insist on
> creating software to escrow communications (the primary argument being
> that people didn't want to lose access to the stored mail as opposed
> to being able to have designated third parties snooping mail in
> transit) they should use storage key escrow.
> My main premise was that communication key escrow is too risky because
> an outside attacker gets the plaintext:

"Keys used to encrypt email which is transmitted over the Internet are
more valuable to an attacker than keys used to encrypt stored files
because of the relative ease with which an attacker can obtain copies
of emailed ciphertext. Stored encrypted files in contrast are
protected by all the physical security systems the company is relying
on to protect it's paper files, plaintext data stored on disks, and
backup tapes. [...]"

There was also lots of political discussion of how unwise it was for
PGP to create a escrow infrastructure which could as easily be used by
governments as by SEC companies to archive their employees

And people quoting Phil Zimmermann a few years earlier complaining
about ViaCrypt's PGP4 for business variant which had "escrow" in the
form of a third party "encrypt-to-self" config file setting.

And I believe I recall the NSA or some other US government body
picking up on the CMR / ADK mechanism and holding it up as evidence
against the claim that key recover was complex ... "see PGP did it,
this works".

> It's of scientific interest because it spectacularly confirms a
> prediction made by a number of us in the paper on `The Risks of Key
> Recovery, Key Escrow, and Trusted Third-Party Encryption'
> that key escrow would make it
> much more difficult than people thought to build secure systems.

Yes. It really highlights the truth in the statement about the
new risks introduced by adding key escrow.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?