A serious vulnerability has been found in several versions of Pretty Good Privacy (PGP) encryption software that could expose the content of encrypted messages. The flaw affects PGP 5.x, 6.x and derived products that are used to encrypt e-mail and control access to sensitive files and services.
Each PGP user has a public/private key pair. The public key can be used by anyone to encrypt a message to the user. The private key can be accessed only by the user to decrypt messages. The flaw allows an attacker to create a modified version of a user's public key, forcing the sender to encrypt messages to both the intended recipient and the attacker, who could then decrypt the data.
According to security analysts, the flaw was created when Network Associates Inc. in Santa Clara, Calif., modified the affected PGP versions to allow for third-party key recovery, or key escrow. The alteration was made by supporting an additional decryption key (ADK) controlled by the user's employer, government entities or other organizations that want the ability to intercept and read encrypted messages.
Versions of PGP that support key escrow create a new public/private key pair and add to the public key a set of ADKs. This additional set of keys gives those who want to communicate using this key the ability to encrypt and read messages. When a sender encrypts a message to that user, PGP will automatically encrypt the message in both the user's public key and the ADK.
To stop someone from modifying the public key after it's been generated to add ADKs, the additional keys must be signed with the user's corresponding private key. The vulnerability allows public keys with nonsigned ADKs to be used.
"This means that someone could obtain a copy of your public key, add their own ADKs, and attempt to fool someone into using this modified public key when in communication with you," said Elias Levy, an analyst at SecurityFocus.com in San Mateo, Calif. "If they can intercept the encrypted communications, they will then be able to decrypt it with their ADK."
Network Associates was unavailable for comment on the flaw. But Bruce Schneier, chief technology officer at Counterpane Internet Security Inc. in San Jose, noted that the flaw allows an organization to take a PGP certificate, which contains a single public key and user-identifying information, add an ADK, and release the tampered version of the certificate. The altered certificate can't be detected unless the bytes are manually examined.
According to Schneier, the flaw prompts the tampered version of the certificate to automatically and invisibly encrypt all messages to the organization as well as to the certificate owner. Schneier, who is also a world-respected cryptographer, said the problem won't go away until all flawed versions of PGP are eradicated. He added that it's the sender who is responsible for encrypting to the ADKs, not the recipient.
"Way back in 1998, a bunch of us cryptographers predicted that adding key escrow would make system design harder and would result in even more security problems," said Schneier. "This is an example of that prediction coming true."