Adobe Product Security Team Accidentally Leaks PGP Private Key

September 26, 2017 / by Fornetix

Adobe's Product Security Incident Response Team (PSIRT) accidentally posted their private key to the internet allowing anyone with access to either side of a conversation with the PSIRT to be able to decrypt the messages.  The Adobe security team was quick to revoke the PGP key, but it has left people with encrypted messages to Adobe in the clear.  How did it happen?

Asymmetric encryption keys have two portions, the private and public block.  The two blocks together allow you to be able to take information encrypted with one block and turn it into an answer for another.  Part of the key of this is keeping your private key private.  This allows people with your public key to perform encryption operations against your key while you still have another way to open the cryptographic information.  This way you can be assured that people are who they say they are based on information they sign with their private key, and you can maintain your own private key while allowing people to send you encrypted information.

Asymmetric keys have multiple formats, in some formats, you keep the public and private key in separate files; however, you can put the public and private key together in formats such as PKCS#12.  Adobe took one of these formats and publically distributed both keys in the chain.  A large portion of the keys are removed below:

 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Mailvelope v1.8.0
Comment: https://www.mailvelope.com

xsFNBFm/2KMBEADbwToJM3BCVE1OeC22HgVEqNEDppXzuD2dgfKuy0M4tx2L
===================<REMOVED>===================
=QOc7
-----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: Mailvelope v1.8.0
Comment: https://www.mailvelope.com

xcaGBFm/2KMBEADbwToJM3BCVE1OeC22HgVEqNEDppXzuD2dgfKuy0M4tx2L
===================<REMOVED>===================
=o41l
-----END PGP PRIVATE KEY BLOCK-----

The public key block should be posted or made available, while the private key block should have been kept for internal use only.

Fornetix VaultCore enables the ability to automate key lifecycle.  Leveraging an OASIS standard (OASIS KMIP) for Key Management, we have extended what is possible by adding automation and providing client and a RESTful interface to allow integration into existing solutions.  The Policy Engine and Hierarchy provide a way to ensure creation of new keys follow security standards setup by your enterprise security organization.

Having standards of what sorts of keys (public / private) get pushed to different locations allows Fornetix VaultCore to mitigate accidental spillage of cryptographic material into unintended locations.


Note: This entry has been edited to reflect the 'Key Orchestration' solution name becoming 'VaultCore'

Learn More about Fornetix Solutions

Recent Posts