Flaw Discovered in Encryption Software

A serious vulnerability has been discovered in Pretty Good Privacy (PGP) encryption software versions 5.x and 6.x that support key escrow in the form of Additional Decryption Keys (ADK). To stop an intruder from modifying the public key of a user's public/private PGP key pair after the public key has been used to generate ADKs, the additional keys must be signed with the private key as well. But the vulnerability allows public keys with nonsigned ADKs to be used.

This means an intruder, with a copy of the user's public key, could add his own ADKs and fool someone into using this modified public key to intercept and decrypt encrypted communications.

Join the newsletter!

Error: Please check your email address.

More about PGP

Show Comments