A fly in PGP's ointment?
- 22 March, 2001 15:12
- Comments
A Czech company is hoping to make a big splash at the world's largest trade show this week by publicizing an alleged vulnerability in PGP (Pretty Good Privacy), encryption software used by millions of people around the world to keep their communications private. The chances of a breach that takes advantage of the vulnerability, however, are low enough to turn the company's splash into a splatter.
Prague-based ICZ, a consulting and systems integrator, issued a press release Tuesday stating that it has discovered a "serious bug" in PGP and promised to release technical details about it later this week at the CeBit trade show in Hanover, Germany. An ICZ representative could not be reached to comment.
PGP creator Phil Zimmermann reconstructed the type of attack detailed in the press release and learned that a breach as described by ICZ would not compromise encrypted messages, but could enable an attacker to tamper with digital signatures, codes that are used to authenticate the identity of a message's sender.
Zimmerman downplayed the possible impact of the vulnerability. First, he said, an attacker would either have to hack into a victim's computer or have to get physical access to it. Then, the attacker would have to modify the victim's private key - the code used by the sender to encrypt messages - in such a way as to make the digital signature incorrect.
However, both a message's sender and recipient can easily check invalid signatures.
"None of your signatures will look right after [an attack], so it's not going to be undetected," he said. "If you notice this, you'll revoke your key - so it's not really a useful attack, and it requires that your opponent have unprecedented access to your computer."
Zimmerman points out that if an attacker can manage to get that kind of unprecedented access to a victim's computer, he or she could wreak havoc that goes way beyond merely tampering with digital signatures. For instance, an attacker could install a keyboard sniffer that would capture the victim's PGP password and allow the hacker to impersonate the victim, he said.
The ICZ statement also said an attack could be perpetrated against people who send their private keys over e-mail or store them on shared servers. Zimmermann debunked that threat, too, and noted that a basic understanding of encryption users is that it is incredibly unsafe to transmit a private key online, and that there are more secure alternatives for storing private keys on shared computers.
Although the chances of such an attack are unlikely, future versions of PGP and products that use the PGP standard will be modified to prevent anyone from tampering with someone's digital signature in the manner described by ICA, Zimmermann said. Network (NETA) Associates sells a commercial version of PGP, while a consumer version is available for free.
Nevertheless, a Network Associates executive criticized ICZ for publicizing the vulnerability and preparing to release the technical details of it before notifying Network Associates or giving the company a chance to confirm the flaw and fix it, as is standard practice in the industry, "At this time, because we don't have any technical information, we can't even confirm that there is a vulnerability," said Mark McArdle, VP of PGP engineering at Network Associates. "This generates a lot of confusion and elevates the level of stress of users unnecessarily."
A similar situation occurred in August when a German researcher discovered a problem with PGP and went public with the information before Network Associates had a chance to work on a patch. The company managed to release a fix within 18 hours after hearing about the problem, which only affected messages sent by users of the commercial version of PGP who took advantage of a feature that allowed them to create an additional decryption key. According to Zimmermann, corporations requested that feature so that company messages could be recovered if the recipients were unable to read them because they forgot their passwords, were on vacation or had died.
- Bookmark this page
- Share this article
- Got more on this story? Email Computerworld
- Follow Computerworld on twitter
- Data Deduplication Strategy Guide
- The Need for DLP (data leak prevention) now
- Beyond Dropbox: Requirements for Enterprise Secure File Sharing
- Case Study: BNP Paribas Deploys Oracle Exadata to Accelerate Information Processing - The Hardware Perspective
- Eight threats your antivirus won’t stop - Why you need endpoint security
- 3D mapping revives underwater city
- Academic challenges Turnbull over NBN satellite criticism
- What are you saying: Telstra’s customer service slowly improving, SA minister urging Facebook to overturn its photo ban
- In pictures: Capgemini opens new Canberra office
- Power profiles to help electronics go Green
-
20 popular Ubuntu Linux apps you may want to try
-
Nokia N9: Why you shouldn't buy this device
-
Microsoft at a loss over Event Viewer scam
-
Customer service still dogs Telstra
-
Customer service still dogs Telstra
-
Teach Yourself Visually Windows 7
-
Windows 7 for Dummies®
-
Microsoft Office
-
Excel 2007 All-In-One Desk Reference for Dummies
-
Office 2007 for Dummies
-
MYOB Software for Dummies 6E Australian Edition
-
Computers for Seniors for Dummies, 2nd Edition
-
Office 2007 All-In-One Desk Reference for Dummies
-
Windows 7 for Seniors for Dummies®
Comments
Post new comment