Network Associates Security Advisory: PGP Security Advisory for PGP 5.0 | Linux Today

Network Associates Security Advisory: PGP Security Advisory for PGP 5.0

Written By
Web Webster
Web Webster
Jun 1, 2000

Date: Tue, 30 May 2000 20:13:34 -0700
From: Will Price wprice@cyphers.net
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: PGP Security Advisory for PGP 5.0

Network Associates Security Advisory
Date: May 30, 2000
Author: PGP Engineering

Background:

A security issue has been discovered in the following PGP
products:

– PGP 5.0 for Linux, US Commercial and Freeware editions
– PGP 5.0 for Linux, Source code book (basis for PGP 5.0i for
Linux)

The following PGP products are NOT affected by this issue:

– PGP 1.x products
– PGP 2.x products
– PGP 4.x products
– All other PGP 5.x products
– PGP 6.x products
– PGP 7.x products

Synopsis:

During a recent review of our published PGP 5.0 for Linux source
code, researchers discovered that under specific, rare
circumstances PGP 5.0 for Linux will generate weak, predictable
public/private keypairs. These keys can only be created under the
following circumstances:

– Keys are generated using PGP’s command line option for
unattended batch key generation, with no user interaction for
entropy (random data) collection

– No keys were generated interactively on this system previously
(e.g., a PGP random seed file is not present on this system prior
to unattended batch key generation)

– PGP is able to access the UNIX /dev/random service to gather
entropy during unattended batch key generation

PGP 5.0 for Linux does not process the data read from
/dev/random appropriately, and therefore does not gather enough
entropy required to generate strong public/private keypairs. This
issue affects both RSA and Diffie-Hellman public/private keypairs,
regardless of keysize. Network Associates has verified that this
issue does not exist in any other version of PGP.

Solution:

Users who generated keys in the manner described above are
strongly urged to do the following:

– Revoke and no longer use keys suspected to have this
problem

– Generate new public/private keypairs with entropy collected
from users’ typing and/or mouse movements

– Re-encrypt any data with the newly generated keypairs that is
currently encrypted with keys suspected to have this problem

– Re-sign any data with the newly generated keypairs, if
required

Users are also urged to upgrade to the latest releases of PGP,
as PGP 5.0 products have not been officially supported by Network
Associates since early 1999, or distributed by Network Associates
since June 1998.

Additional Information:

US commercial and freeware versions of PGP 5.0 for Linux were
released in September 1997 by PGP, Inc., a company founded by Phil
Zimmermann. Source code for the PGP 5.0 product family was
published in September 1997. PGP, Inc. was acquired by Network
Associates in December 1997.

Acknowledgements:

PGP appreciates the efforts of Germano Caronni, Thomas Roessler
and Marcel Waldvogel in identifying this issue and bringing it to
our attention.

Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.