Additional Decryption Key (ADK)? - PGP

This is a discussion on Additional Decryption Key (ADK)? - PGP ; I am using PGP 8.0.3 at work. I have a quick question about the Additional Decryption Key (ADK). Is this a "backdoor" key IT administrators can use to open my PGP disk volumes and encrypted emails? Thanks!...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Additional Decryption Key (ADK)?

  1. Additional Decryption Key (ADK)?

    I am using PGP 8.0.3 at work. I have a quick question about the Additional
    Decryption Key (ADK). Is this a "backdoor" key IT administrators can use to
    open my PGP disk volumes and encrypted emails?

    Thanks!



  2. Re: Additional Decryption Key (ADK)?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    "Anonymous" wrote in
    news:FIqrd.191110$hj.48304@fed1read07:

    > I am using PGP 8.0.3 at work. I have a quick question about the
    > Additional Decryption Key (ADK). Is this a "backdoor" key IT
    > administrators can use to open my PGP disk volumes and encrypted
    > emails?
    >
    > Thanks!


    The ADK is not really a backdoor, because there is nothing hidden
    about it. If you are also encrypting to an ADK, you are able to
    detect this, just as you can detect all keys that you are encrypting
    to. But, the purpose is so that someone else in your company can
    decrypt your encrypted files/email if you leave the company, are out
    of town, out sick, etc. Sometimes, the ADK will be a split key so
    that no one individual is able to use it for such purposes.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1
    Comment: My PGP Page & FAQ: http://www.mccune.cc/PGP.htm

    iQEVAwUBQa5mFWDeI9apM77TAQLiUwf9HAJUetJTd4tpbKdHGO sPUP0+Dj+HuA4m
    kOgXhsnOB1ODVDz3RBkAH44ONHzrmuQZ2XhBnPUSCQpgUjGNBw 9aRnOdzT4DTdO6
    0e4o8CNfJOSP5UnouBQEczivN/hAt4+MVwBNirP0dkjJ0HdlqjNYt10S68HqWBtY
    jbOjt++5Vgp2tnPSBx4BHdezzDgg7WBlP3xOA0AU9AocHD9jqC wAYxI/Jq9sadeV
    a2FSS8zsWbOduMwVMoopMboYUvguchAkMEKC33DRbzhTsgy4No 26yIaDexWgs9rf
    dePU6t1Hsc2QC7r9W6P4I5491RUTmpWitzUEeXxsb6IXQC4m49 Y1Gg==
    =aUw+
    -----END PGP SIGNATURE-----

  3. Re: Additional Decryption Key (ADK)?

    Tom McCune wrote:

    > "Anonymous" wrote in
    > news:FIqrd.191110$hj.48304@fed1read07:
    >
    >> I am using PGP 8.0.3 at work. I have a quick question about the
    >> Additional Decryption Key (ADK). Is this a "backdoor" key IT
    >> administrators can use to open my PGP disk volumes and encrypted
    >> emails?
    >>
    >> Thanks!

    >
    > The ADK is not really a backdoor, because there is nothing hidden
    > about it. If you are also encrypting to an ADK, you are able to
    > detect this, just as you can detect all keys that you are encrypting
    > to. But, the purpose is so that someone else in your company can
    > decrypt your encrypted files/email if you leave the company, are out
    > of town, out sick, etc. Sometimes, the ADK will be a split key so
    > that no one individual is able to use it for such purposes.


    Not a backdoor. An alternate, special-purpose, front door

    David

  4. Re: Additional Decryption Key (ADK)?

    Anonymous wrote:
    >
    > I am using PGP 8.0.3 at work. I have a quick question about the Additional
    > Decryption Key (ADK). Is this a "backdoor" key IT administrators can use to
    > open my PGP disk volumes and encrypted emails?
    >
    > Thanks!


    Remember, you are using your employer's equipment and software
    while you are being paid by your employer to work. Therefore, your
    employer has the right to view the work you perform.

    Effectively, ADK is a capability that allows your employer to
    access your work-related encrypted files in your absence. (Surely,
    you don't have personal files on your employer's computers.) If
    you are ill, on vacation, or killed in a freeway accident, your
    employer cannot afford to halt all work merely because you
    encrypted some vital data (even if good business sense indicates
    the files should have been encrypted) and are now unavailable to
    decrypt them.

    See my for details.

    --

    David E. Ross


    I use Mozilla as my Web browser because I want a browser that
    complies with Web standards. See .

  5. Re: Additional Decryption Key (ADK)?

    Theft of company "time" is not an issue I am into. What I do while I eat
    lunch does not qualify as "company" time. After spending 12 or more hours a
    day working, forgive me if I spend 5 minutes to check my blood pressure
    prescription on-line or, check my bank account to see if the company made an
    e-deposit to cover a multi-thousand dollar American Express bill from a
    company trip. Regarding use of company assets, they have a published "fair
    use" policy which I comply with.

    The information I am most concerned about is not whether my employer knows
    whether I take a beta blocker or calcium channeler for blood pressure or,
    singulair or allergra for allergies. The potential damage of a nosy
    employee gaining access to salary or performance review information could be
    devastating when taken out of context and presented in "raw" form. People
    in management could view the raw data with an objective eye but, a less
    experienced employee (not just new hires) have inadvertently gained access
    to this type of data in the past and blew it out of perspective. The cost
    to explain the numbers to the group as a whole and deal with the "rumor
    mill" in addition to general damage control is enormous.

    An informed security choice is a better choice. Also, respect for the
    integrity of your IT and PGP admins could go a long way to reassuring users
    of their security status.


    "David Ross" wrote in message
    news:41AF51E9.432201BE@nowhere.not...
    > Anonymous wrote:
    >>
    >> I am using PGP 8.0.3 at work. I have a quick question about the
    >> Additional
    >> Decryption Key (ADK). Is this a "backdoor" key IT administrators can use
    >> to
    >> open my PGP disk volumes and encrypted emails?
    >>
    >> Thanks!

    >
    > Remember, you are using your employer's equipment and software
    > while you are being paid by your employer to work. Therefore, your
    > employer has the right to view the work you perform.
    >
    > Effectively, ADK is a capability that allows your employer to
    > access your work-related encrypted files in your absence. (Surely,
    > you don't have personal files on your employer's computers.) If
    > you are ill, on vacation, or killed in a freeway accident, your
    > employer cannot afford to halt all work merely because you
    > encrypted some vital data (even if good business sense indicates
    > the files should have been encrypted) and are now unavailable to
    > decrypt them.
    >
    > See my for details.
    >
    > --
    >
    > David E. Ross
    >
    >
    > I use Mozilla as my Web browser because I want a browser that
    > complies with Web standards. See .




  6. Re: Additional Decryption Key (ADK)?

    So, this would show up in my recipient list when I inspect the armored file
    and/or when I encrypt this file itself?

    ADK's do appear to have a place in the corporate world but, they need to be
    understood by the PGP user community. I don't care if business reports for
    example are accessible by a group of appropriate individuals besides myself.
    The people who should have access to personnel data are a different group of
    users.

    > Sometimes, the ADK will be a split key so
    > that no one individual is able to use it for such purposes.


    If I knew that for sure, I would not be concerned. Single point failures
    can lead to trouble.



    "Tom McCune" wrote in message
    newsCtrd.31404$1u.11589@twister.nyroc.rr.com...
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > "Anonymous" wrote in
    > news:FIqrd.191110$hj.48304@fed1read07:
    >
    >> I am using PGP 8.0.3 at work. I have a quick question about the
    >> Additional Decryption Key (ADK). Is this a "backdoor" key IT
    >> administrators can use to open my PGP disk volumes and encrypted
    >> emails?
    >>
    >> Thanks!

    >
    > The ADK is not really a backdoor, because there is nothing hidden
    > about it. If you are also encrypting to an ADK, you are able to
    > detect this, just as you can detect all keys that you are encrypting
    > to. But, the purpose is so that someone else in your company can
    > decrypt your encrypted files/email if you leave the company, are out
    > of town, out sick, etc. Sometimes, the ADK will be a split key so
    > that no one individual is able to use it for such purposes.
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: PGP 8.1
    > Comment: My PGP Page & FAQ: http://www.mccune.cc/PGP.htm
    >
    > iQEVAwUBQa5mFWDeI9apM77TAQLiUwf9HAJUetJTd4tpbKdHGO sPUP0+Dj+HuA4m
    > kOgXhsnOB1ODVDz3RBkAH44ONHzrmuQZ2XhBnPUSCQpgUjGNBw 9aRnOdzT4DTdO6
    > 0e4o8CNfJOSP5UnouBQEczivN/hAt4+MVwBNirP0dkjJ0HdlqjNYt10S68HqWBtY
    > jbOjt++5Vgp2tnPSBx4BHdezzDgg7WBlP3xOA0AU9AocHD9jqC wAYxI/Jq9sadeV
    > a2FSS8zsWbOduMwVMoopMboYUvguchAkMEKC33DRbzhTsgy4No 26yIaDexWgs9rf
    > dePU6t1Hsc2QC7r9W6P4I5491RUTmpWitzUEeXxsb6IXQC4m49 Y1Gg==
    > =aUw+
    > -----END PGP SIGNATURE-----




  7. Re: Additional Decryption Key (ADK)?

    "Anonymous" wrote in
    news:FPZrd.193243$hj.189922@fed1read07:

    > So, this would show up in my recipient list when I inspect the armored
    > file and/or when I encrypt this file itself?


    Yes. Actually, if you do not have the ADK on your keyring, it cannot be
    encrypted to anyway.

    I'm guessing that in reference to the question of a PGPdisk volume, that
    you could avoid the issue by encrypting it to a passphrase rather than to
    your key. Of course, in a work setting, there might be keystroke
    recording. But, if that is present, they could also copy your private
    key and capture its passphrase anyway.

    > ADK's do appear to have a place in the corporate world but, they need
    > to be understood by the PGP user community. I don't care if business
    > reports for example are accessible by a group of appropriate
    > individuals besides myself. The people who should have access to
    > personnel data are a different group of users.


    I would agree. Going along with the issue of employers being allowed to
    read your keymail, review your web connections, doing keystroke
    recording: at least in the US it is permitted without the employee being
    notified, but I think that is along the lines of being unethical/immoral.

    >> Sometimes, the ADK will be a split key so
    >> that no one individual is able to use it for such purposes.

    >
    > If I knew that for sure, I would not be concerned. Single point
    > failures can lead to trouble.


    I guess there is no way to be sure. You can ask, but the accuracy of
    what an adminstration says is certainly not 100%.

    --
    Tom McCune
    My PGP Page & FAQ: http://www.McCune.cc/PGP.htm

  8. Re: Additional Decryption Key (ADK)?

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    From: Tom McCune
    Newsgroups: comp.security.pgp.discuss

    "Anonymous" wrote in
    news:FPZrd.193243$hj.189922@fed1read07:

    > So, this would show up in my recipient list when I inspect the

    armored
    > file and/or when I encrypt this file itself?


    ]Yes. Actually, if you do not have the ADK on your keyring, it
    cannot be
    ]encrypted to anyway.


    ]I'm guessing that in reference to the question of a PGPdisk volume,
    that
    ]you could avoid the issue by encrypting it to a passphrase rather
    than to
    ]your key. Of course, in a work setting, there might be keystroke
    ]recording. But, if that is present, they could also copy your
    private
    ]key and capture its passphrase anyway.


    haven't ever used a corporate pgp version with an adk before,
    so am not sure if this solution would work :

    [1] at home, get the freeware version of pgp
    (any edition)

    [2] generate a new keypair and put it on a floppy
    (a pubring.pkr and secring.skr consisting of just that key)

    [3] create a new pgpdisk volume, encrypted to the key on the floppy
    (when pgpdisk ask where the key is,
    [_if_ the corporate adk version lets you],
    point it to the keyrings on the floppy)

    the possiblity to do this 'might' have slipped through the corporate
    pgp adk design ... ;-)


    if this cannot be done,
    (if corporate pgp pgpdisk refuses to acknowledge any keyrings other
    than those generated by the company),

    then you can still run either pgp 2.x or gnupg 1.2.x from a floppy
    without any installation on the machine,

    and then be prepared to surrender that key
    if demanded by IT,
    and defend why the encryption bypassed the company adk

    (the 'raw salary data' argument is plausible,
    but, to paraphrase Voltaire,

    "It is dangerous to be right when the administration is wrong" ;-)


    hth,

    vedaal

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.3.6 (MingW32) - WinPT 0.9.13
    Comment: Acts of Kindness better the World, and protect the Soul

    iQIVAwUBQbCQHVqiDIZqWJqXAQgfDxAAiFTVHjmh8jeTlYWwzA ady88EEjJXQZ8l
    e/PlQ8TYl5BQFhAqzam7ljkRUOwOnigA6AqE2i3iRWLP3H93qJBF FQYKku3Pwmcc
    M37LKj0L/Tk024dp2KGafKk0r16RrHu20ztwVPIsA98w0OsPILzWIkxf5vc fDP3n
    X5T4wgzYTyZHwq+Bl2mtGrxgltCrdoHINHxArdTtp4busWT+Lw qWkciC4ylvkAME
    lURw7KuRC3RzuJ2+DZ/Ot36dqGxt/G1VoBagI6QwRJ/4UQGqtFtnIUlJU82naTQ7
    xMiUFlOlDvs/qHAhSwC8Pg7zf1JQAbLs8m3VhjyNQzTgO6FVWCUXsI8rvPLwKM JH
    UcUJlnklMXHDX6r7IWT52muLxb6TF3u1fL11jgS91ULro94zF+ d7Mn5rOASPMBzh
    8rbBzDntP8hoTov7l/XgHMTZn6WaeeMew5iZ1W1O70/Vb7jdYxmzmw5jHhgAhOIn
    D0HdS6wXjTLHq0oFkDmEoAwXzD//29ckY9/qiRXfYT3taSPLTup3rWksbFdiii7O
    Dk6+SBBysHqwGyuzmbzspVgHht4CU+C60KOu4FibBL6LYbRfyO Dy/4XdGAUsQ/4F
    XAWHKvOfbuZfuqlaxgR5M3hCFyZ62s2UafIMRoqM4E1gt+hb9Q 9/57qYMWcs00ia
    y/DgBk/AW6E=
    =WA1I
    -----END PGP SIGNATURE-----

  9. Re: Additional Decryption Key (ADK)?

    Anonymous wrote [in part]:
    >
    > The potential damage of a nosy
    > employee gaining access to salary or performance review information could be
    > devastating when taken out of context and presented in "raw" form. People
    > in management could view the raw data with an objective eye but, a less
    > experienced employee (not just new hires) have inadvertently gained access
    > to this type of data in the past and blew it out of perspective. The cost
    > to explain the numbers to the group as a whole and deal with the "rumor
    > mill" in addition to general damage control is enormous.


    In a company with a well-run security organization, only a limited
    number of security officers would have the company's ADK private
    keys. These are the same individuals who have the combinations of
    all the safes and the keys to all the doors and desks. They also
    issue all the badges and monitor the logs that show which badges
    were used to unlatch which secure doors. Of course, they can gain
    access to all personnel records and don't really need to use PGP's
    ADK feature to see them.

    --

    David E. Ross


    I use Mozilla as my Web browser because I want a browser that
    complies with Web standards. See .

  10. Re: Additional Decryption Key (ADK)?


    "David Ross" wrote in message
    news:41B0B1DD.BE30DEF0@nowhere.not...
    > In a company with a well-run security organization,


    I'm sure that exists at some other companies but, mine......

    In fact, I probably would not have posted at all if we had a "well-run
    security organization"



+ Reply to Thread