Pretty Good Privacy Not Good Enough

SAN FRANCISCO (08/25/2000) - A German researcher has discovered a major security flaw in the latest versions of the PGP free e-mail encryption software that could allow someone to read another person's encrypted e-mail if he or she was able to intercept it.

The problem arises from a feature that Network Associates Inc. added to PGP (Pretty Good Privacy) which allows for the recovery of data in encrypted messages.

The flaw, discovered by Ralf Senderek and reported Thursday, highlights the technical difficulties in creating key-recovery systems, said Bruce Schneier, CTO of Counterpane Internet Security and author of Applied Cryptography.

Schneier and a group of other cryptographers predicted the exact type of problem that PGP now faces in a paper they wrote in 1997, when the U.S. government was pushing for key escrow, raising the ire of civil libertarians and many software firms in the process.

"When you add key escrow, or key recovery, into a system, you're adding complexity, and by its very nature, it's going to be harder to build a secure system," Schneier says. "Now there are more things to get right and more chances of getting things wrong. This is an example of that."

Under PGP, each person has a public key and a private key, or codes that are used to encrypt and decrypt messages. A person sending an e-mail can use a recipient's public key to encrypt messages that only the recipient can decrypt, with their private key. Key-recovery systems allow a third party, usually a corporation or the government, to access encrypted data in the event that an employee leaves the company, or for criminal investigations.

When versions of PGP that support data recovery, versions 5 and 6, create new public and private key pairs, or certificates, they allow a user to specify whether to add Additional Decryption Keys. If the user enables the ADK option, when a sender encrypts a message to the user, PGP automatically encrypts the message by using both the user's public key and the ADK.

However, the software doesn't require the ADKs to be in the signed portion of the PGP certificate, which means that someone can take your PGP certificate, add his own key as the ADK, and distribute it, all without your permission.

Thereafter, he would be able to decrypt any messages sent to you if he were able to intercept them.

"The mistake is the lesson we all learned in kindergarten, that you shouldn't put anything in your mouth that you don't know where it's been," Schneier says.

"You should know where the key came from before you accept it."

Executives at Network Associates point out that the ADK option is designed for corporate users who may have to follow a data-recovery policy for all corporate communications. Most home users won't be affected because they won't enable the ADK option, according to Mike Jones, business line manager for PGP products at Network Associates. "The message from our [corporate] customer base is loud and clear; that they need data recovery."

Network Associates says it will issue a patch for the flaw Thursday. The company also has secured the PGP certificate server so that no one can update ADKs, and will scan the server to see whether any such ADKs are out there, says Mike Wallach, president of the PGP security division at Network Associates.

"There have been no examples of anybody being compromised for this," Wallach says. "We think it's a fairly esoteric bug, that, nevertheless, we need to respond to."

The hole won't be a simple one to plug for Network Associates. Even if the company creates a fix and you download it, it won't make a difference unless all the people who send you messages also download it. "You have no control over whether all the senders have upgraded," Schneier notes.

Jones conceded that both senders and recipients of PGP messages will need to install the patch.

With more than 6 million users, PGP is the most popular free encryption program. Upon its release, it was targeted by the U.S. government for allegedly violating U.S. export rules, which prohibit the export of strong encryption for national security reasons. The government dropped its case against PGP creator Philip Zimmermann in 1996, however, and has since loosened its encryption export regulations. Network Associates acquired PGP in 1997.

Join the newsletter!

Error: Please check your email address.

More about CounterpaneCounterpane Internet SecurityPGPPGP Security

Show Comments