Flaw Discovered in Encryption Software

A serious vulnerability has been discovered in Pretty Good Privacy (PGP) encryption software versions 5.x and 6.x that support key escrow in the form of Additional Decryption Keys (ADK). To stop an intruder from modifying the public key of a user's public/private PGP key pair after the public key has been used to generate ADKs, the additional keys must be signed with the private key as well. But the vulnerability allows public keys with nonsigned ADKs to be used.

This means an intruder, with a copy of the user's public key, could add his own ADKs and fool someone into using this modified public key to intercept and decrypt encrypted communications.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about PGP

Show Comments