Desde la versión 6.0 del PGP,  los usuarios hemos visto como una buena idea se ha ido transformando progresivamente en un mal producto. En efecto, el brillante sistema ideado originalmente por Phillip Zimmermann, simple, seguro y elegante se está metamorfoseando una suite compleja de aplicaciones, con un cúmulo de funciones que el usuario normal jamás usará. 

La empresa que compró PGP, Network Associates International, está -lamentablemente- siguiendo el mismo camino que le ha traído tanta mala fama a Microsoft, sacar una seguidilla de versiones con un cúmulo de nuevas características que van convirtiendo a lo que fue un programa simple, elegante y fácil de usar en una aplicación excesivamente grande, compleja y llena de "características" más o menos exóticas.

El desarrollo de PGP está cada vez más manejado por criterios de marketing y de lucro de la empresa que lo vende, lo que no tendría nada de malo si no se estuviera al mismo tiempo descuidando la seguridad que es el valor más importante que ofrece el producto a sus clientes.

Así es como el código fuente de la versión 2.6xi para DOS era bien conocido por mucha gente y lo suficientemente analizado para estar seguros de que no tenía vulnerabilidades ni puertas traseras. Pero la cantidad de gente en condiciones de analizar cuidadosamente el código fuente es cada vez menos a medida que aumenta la complejidad del producto lo que hace que su seguridad se vaya convirtiendo más que nada en un asunto de fe.

La principal fortaleza del PGP era su simplicidad, pero por razones de marketing esto está cambiando, muchas de las nuevas características, especialmente las claves adicionales de descripción (ADK) han significado concesiones comerciales que debilitaron la seguridad del sistema. PGP nunca se penso como un sistema que permitiera key escrow ni claves adicionales que comprometen la seguridad y el diseño mismo del sistema.

A mi modo e ver, la versión más conveniente al momento es la 6.01i sin usar ADK´s obviamente, ya que es todavía razonablemente simple e incluye el PGP Disk como parte de la versión freeware. Actualmente estoy usando la 6.58i principalmente por probar el modo de línea de comandos, y el PGP Net (ya se, caí en la manía de las new features), sin embargo creo que la 6.o1i sin ADKs es la más conveniente en entorno Windows.

¿Y la anunciada versión 7.xx? ni por broma, yo al menos no caeré en el juego de las actualizaciones permanentes, las versiones anteriores bastan y sobran para lo que yo uso el programa. Y ya estoy pensando usar la 2.6i con criptografía convencional para algunas aplicaciones.

Y no soy el único preocupado, la verdad es que el post de Michel Bouissou que reproduzco abajo (en inglés) es el que me alentó a escribir este artículo y sintetiza muchas ideas que tenía dispersas desde el PGP 6.x. Una parte fundamental de este post es la que traduzco a continuación:

"- - N.A.I. (Network Asociattes International) debiese terminar de adjuntar al PGP otras características de "seguridad" tales como VPN (red privada virtual), cortafuegos o detectores de intrusión que no tienen nada que ver con el nucleo de PGP. PGP es PGP y podría ser acompañado de PGP Disk. El resto no tiene nada que ver con PGP y podría ser vendido por N.A.I. en paquetes de software diferentes y separados si así lo desean. Mientras mas innecesarias y pesadas cosas se le incluyan a PGP, mientras más crezca, más difícil será la revisión y el control, y más alto el riesgo de bugs y menazas de seguridad que permanezcan inadvertidas.
-- Y desearíamos que N.A.I. libere una versión freeware del PGP que esté completamente libre de las ADK (Aditional Decription Keys)"

---

Date: Sun, 27 Aug 2000 15:17:38 +0200
From: pgpenfrancais <pgpenfrancais@bigfoot.com>
To: jya@pipeline.com
CC: michel@bouissou.net
Subject: PGP in GPL to restore confidence?

John,
FYI, this very interesting message of Michel Bouissou, a french
crypto-activist.

Cheers,
--
pgpenfrancais@bigfoot.com
PGP en francais http://www.geocities.com/SiliconValley/Bay/9648/news.htm

****

From: "Michel Bouissou" <michel@bouissou.net>
Newsgroups: alt.security.pgp,comp.security.pgp.discuss,sci.crypt
Subject: PGP ADK Bug: What we expect from N.A.I.
Date: Sun, 27 Aug 2000 11:13:49 +0200


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The disastrous ADK bug recently discovered by Ralf Senderek in
versions 5.x and 6.x of PGP has greatly compromised the trust that
all of us crypto and privacy activists had in N.A.I. PGP.

In this message, I express not only my personal opinion, but as well
the opinion of several crypto and privacy activists, long-time PGP
supporters in France.

This bug is the most serious and threatening one ever discovered in
PGP since its beginning.

Although N.A.I. quickly reacted to this bug by scanning and fixing
their keyservers, publishing a new PGP 6.5.8 version supposed to be
immune to the bug within 48 hours after its discovery, and also
released a PGPrepair program which is supposed to clean forged public
keys from keyrings, this still is far from enough.

(We write "supposed" not because we distrust the efforts made by
N.A.I., but because we estimate that these solutions cannot have been
tested enough in this short timeframe to put full confidence into
them).

We received information from N.A.I. stating that these
countermeasures were the first steps taken in emergency, and we
acknowledge that they shown quick and reactive and there was not much
more that they could have done in such a short timeframe.

We understand from N.A.I. employees statement that more comprehensive
and definitive solutions are yet to come and are looking forward for
these solutions.

Yet, we regret that N.A.I. and / or Phil Zimmermann didn't release so
far clearer explanations about what they thought of this bug and its
cause and consequences on a technical standpoint.

The fact that this bug can allow messages to be encrypted to somebody
(attacker) different than the intended message recipients makes it
one of the most disastrous things that can happen to a public-key
cryptosystem.

This bug being related to the "ADK / ARR" feature in PGP makes the
issue still hotter, as this ADK feature has been contested and
disapproved from the beginning by the vast majority of PGP
supporters, as well as a number of crypto specialists.

In any case, this "ADK / ARR" feature is a very sensible thing, as
incoporating such features in a cryptosystem creates one possible
weakness and attack path. Ralf's discovery recently proved we were
right being worried about it.

This ADK system being so sensible, we would have expected N.A.I. to
have put the highest care in implementing, testing, securing and
documenting it. Unfortunately, Ralf's work and our own tests proved
this wasn't the case.

=> The bug exists, can easily be exploited. This has been largely
debated these last days.

=> The "warning" messages do not behave as one would expect by
reading the manuals and options explanations.

=> The whole ADK concept and implementation is not explained nor
discussed in the PGP Freeware manual, maintaining ignorance and
confusion about sensible things which should be made very clear.

All this proves that this wasn't properly done, and, quoting Ralf
Senderek last public note:
<<<<<
>This is not a bug, this is a scandal, because NAI put ADKs into PGP
>without caring about simple manipulations.  Obviously there has
>never been a well thought-out security strategy and most of the
>relevant information the public got from NAI concerning ADKs was
>completely untrue as my
>experiments reveal.
>>>>>

We regret to say that we must share and approve Ralf point of view
about this.

This weakness discovered in the v4 signature mechanism raises the
issues of possible other weaknesses that might have been introduced
in PGP when PGP5 was released, because it proves that things which
should have been carefully checked and designed were not. And such a
weakness stayed unnoticed for several years.

In light of this, we must acknowledge that Ralf Senderek advice to
trust only PGP 2.6.x version makes sense.

Seeing that, and seeing that several small but very visible bugs have
remained in the PGP G.U.I for a very long time (such as a bug in the
display of the main PGPkeys window, bug in the display of Keyserver
search results...) we really have to worry about the overall quality
and security of the PGP products.

Consequently, we suggest that:

- - N.A.I. should put the core of PGPFreeware under GNU/GPL license.
This would probably have no or little impact on the ability of N.A.I.
to keep producing and selling commercial PGP versions and related
security services, and would help much in restoring confidence.

- - N.A.I. should start cooperating, and not competing, with current
PGP-compatible cryptosystems developments such as GnuPG.

- - N.A.I. should urgently have the current PGP versions and key
formats reviewed by independent competent, and well-known
cryptographers, and should ask them to publish an independent audit
report about their findings.

- - N.A.I. should communicate very clearly about the ADK issue, and the
possible consequences of the existence of a non-hashed area in the v4
signature format. Although details about this signature format may be
buried somewhere in a technical RFC or the like, N.A.I. should
publicly discuss this signature format and the reason why such
non-hashed areas were put into it.

- - N.A.I. should try its best to explain how this bug can have been
introduced unnoticed in PGP, and why the implementation of the ADK
feature has not been accompanied with security controls that meet the
quality standards expected for such a life-critical software.

- - N.A.I. should take appropriate measures to really kick this problem
off. If this means having to abandon the current DH/DSS keys or
signature format and developing a new, more robust format, this
should be undertaken according to indenpendant and competent
cryptographers advice.

- - N.A.I. should stop bundling PGP with other "security" features such
as a VPN or firewall or intrusion detector that have nothing to do
with the PGP core. PGP is PGP and can may be accompanied by
PGPdisk. The rest has nothing to do with PGP and could be sold by
N.A.I. in different, separated software packages if they want. The
more unnecessary and bulky things are included with PGP, the bigger
PGP grows, the harder it becomes to review and control, and higher
becomes the risk that security-threatening bugs remain unnoticed.

- - N.A.I. should integrate into the next PGP releases an option to
globally desactivate ADK encryption, even if this means refusing to
encrypt anything to a recipient key which has an attached ADK.

- - And we wish that N.A.I. should release a freeware PGP version which
is completely ADK-free.

Should N.A.I. choose to follow some of these advices, this would
greatly help in restoring confidence that has much suffered from this
regrettable event.

Should N.A.I. choose to ignore these comments, this would surely lead
many people to distrust the PGP software and move on to new systems
such as GnuPG, which many of us are already seriously considering.

michel@bouissou.net

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com/>
Comment: Corrigez le bug PGP ADK. Installez PGP 6.5.8 ou plus recent.

iQA/AwUBOajNvY7YarFcK+6PEQIsfgCeItaFxuENITYwHyarFt6h3oX4dwwAn305
MezqixhI0VhEObdogHcJU3rO
=Jkhe
-----END PGP SIGNATURE-----