Security Flaw in PGP Can Cause Serious Threat


[PRAGUE, Czech Republic] — Czech cryptologists
working for the ICZ company, an important
local systems integrator, disclosed a serious
security flaw in the Open PGP system which, therefore, affects all of the
encryption programs based on this specification.

PGP is widely used for the encryption of e-mail messages, for
securing their integrity and for unambiguous identification of the
sender. It is based on so-called public key cryptography, where the user
works with two keys: public key is distributed via Internet, private key
remains in user’s computer in the form of encrypted file. The original
freeware version of PGP has been
developed by Philip R. Zimmermann, the commercial version is being
deployed by Network Associates, Inc.


Vlastimil Klima and Tomas Rosa, two Czech cryptologists and specialists
on computer systems security, didn’t break the strong RSA
algorithm that is PGP based on. Instead, they recognized the private key
as the weak point of the system. The cryptologists have found a way
to obtain the content of the public key without decrypting it; they rather bypassed than broke it. The only requirement of
successful attack is that the intruder has to have access to the private
key for a while.

Klima and Rosa claim that it is often possible,
especially in larger companies and organizations where the keys are
stored on servers rather than on workstations or floppy disks. Once the
intruder has access to the content of the private key, he can pretend
fake identity, read the encrypted e-mail messages etc.


There is disagreement among security specialists how serious the threat
really is. Some of them argue that private keys are usually well kept on
secure locations; should they not, they say, the system is vulnerable
even without any special method proposed by Klima and Rosa.

The other
specialists generally agree that the security of private keys is
undervalued; once having them encrypted, people don’t think much about
their availability. The private key is, after all, computer equivalent
of credit card secured with PIN; as we all know, it is considered safe
to hand one’s card to the other person for a moment because without
knowing PIN no great damage can be done.


Klima and Rosa insist that their disclosure should be treated as serious
one – providing it will be proved as valid. They have submitted it in
the form of publicly available scientific
paper
. They have also started cooperation with the Network
Associates Inc. to prepare quick solution for disturbed PGP users.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web