Pretty bad news...
Published: 13 August 2002 10:45 GMT
By Robert Lemos
Messages encrypted with the Pretty Good Privacy (PGP) algorithm could fall prey to a technique that fools senders into decoding their own secret messages, according to researchers.
The attack is known to work against the widely used open-source encryption software GNU Privacy Guard, but requires that the would-be spy first intercept the message and then convince the sender to decrypt what seems to be a second message.
A noted cryptographer, however, stressed that PGP is not broken.
"If I use this, I get one message - I don't get your (secret) key," said Bruce Schneier, founder and chief technology officer of network protection provider Counterpane Internet Security. Schneier proved the existence of the flaw with Jonathan Katz, a professor at the University of Maryland, and with one of Katz's graduate students.
Details of the attack method will be given at a lecture at the Information Security Conference in Brazil, later this year, and paper on the attack method is available now at the Counterpane site.
The attack takes advantage of a flaw that existed in the PGP standard until last year. Because the defense against the attack requires that developers break compatibility with older versions, the makers of many encryption programs haven't fixed the problem.
That's the case with GnuPG, said Jon Callas, principal author of the OpenPGP formats standard for the Internet Engineering Task Force, the group responsible for setting technical standards on the Internet.
"Schneier and Katz have come up with a practical attack against this weakness that we have known about for a while," he said. "It's mainly a con attack--one person has to convince another to do something."
PGP is an example of a public-key encryption system. Each person using PGP has a private key, which they keep secret, and a public key, which they publish. A message encrypted with the public key can be decrypted by the private key, and vice versa.
For an in-depth explanation of how PGP works and how the defect takes hold, click here http://www.silicon.com/a55074
Robert Lemos writes for News.com
Integration Architect/Manager Websphere MQ,WMQ,WMB, Message Broker Location: London Salary: 50,000 - 70,000 Company: ANSON MCCADE Job type: Permanent ...
Consultancy skills within large scale client environments - Design & implementation of large-scale / high-throughput complex messaging architectures, ...
Security and Encryption Algorithms Enterprise Message Bus / Enterprise Service Bus experience Senior Software Developer Engineer C# Web Services ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy