RealTime IT News

Security Flaw in PGP Can Cause Serious Threat

[PRAGUE, Czech Republic] -- Czech cryptologists working for the ICZ company, an important local systems integrator, disclosed a serious security flaw in the Open PGP system which, therefore, affects all of the encryption programs based on this specification.

PGP is widely used for the encryption of e-mail messages, for securing their integrity and for unambiguous identification of the sender. It is based on so-called public key cryptography, where the user works with two keys: public key is distributed via Internet, private key remains in user's computer in the form of encrypted file. The original freeware version of PGP has been developed by Philip R. Zimmermann, the commercial version is being deployed by Network Associates, Inc.

Vlastimil Klima and Tomas Rosa, two Czech cryptologists and specialists on computer systems security, didn't break the strong RSA algorithm that is PGP based on. Instead, they recognized the private key as the weak point of the system. The cryptologists have found a way to obtain the content of the public key without decrypting it; they rather bypassed than broke it. The only requirement of successful attack is that the intruder has to have access to the private key for a while.

Klima and Rosa claim that it is often possible, especially in larger companies and organizations where the keys are stored on servers rather than on workstations or floppy disks. Once the intruder has access to the content of the private key, he can pretend fake identity, read the encrypted e-mail messages etc.

There is disagreement among security specialists how serious the threat really is. Some of them argue that private keys are usually well kept on secure locations; should they not, they say, the system is vulnerable even without any special method proposed by Klima and Rosa.

The other specialists generally agree that the security of private keys is undervalued; once having them encrypted, people don't think much about their availability. The private key is, after all, computer equivalent of credit card secured with PIN; as we all know, it is considered safe to hand one's card to the other person for a moment because without knowing PIN no great damage can be done.

Klima and Rosa insist that their disclosure should be treated as serious one - providing it will be proved as valid. They have submitted it in the form of publicly available scientific paper. They have also started cooperation with the Network Associates Inc. to prepare quick solution for disturbed PGP users.