You are here: silicon.com > Software > Security Strategy

Security Strategy

PGP defect reveals encrypted messages

Pretty bad news...

Printer Friendly Email Story RSS

By CNET Networks

Published: 13 August 2002 10:45 GMT

By Robert Lemos

Messages encrypted with the Pretty Good Privacy (PGP) algorithm could fall prey to a technique that fools senders into decoding their own secret messages, according to researchers.

The attack is known to work against the widely used open-source encryption software GNU Privacy Guard, but requires that the would-be spy first intercept the message and then convince the sender to decrypt what seems to be a second message.

A noted cryptographer, however, stressed that PGP is not broken.

"If I use this, I get one message - I don't get your (secret) key," said Bruce Schneier, founder and chief technology officer of network protection provider Counterpane Internet Security. Schneier proved the existence of the flaw with Jonathan Katz, a professor at the University of Maryland, and with one of Katz's graduate students.
Details of the attack method will be given at a lecture at the Information Security Conference in Brazil, later this year, and paper on the attack method is available now at the Counterpane site.

The attack takes advantage of a flaw that existed in the PGP standard until last year. Because the defense against the attack requires that developers break compatibility with older versions, the makers of many encryption programs haven't fixed the problem.

That's the case with GnuPG, said Jon Callas, principal author of the OpenPGP formats standard for the Internet Engineering Task Force, the group responsible for setting technical standards on the Internet.

"Schneier and Katz have come up with a practical attack against this weakness that we have known about for a while," he said. "It's mainly a con attack--one person has to convince another to do something."

PGP is an example of a public-key encryption system. Each person using PGP has a private key, which they keep secret, and a public key, which they publish. A message encrypted with the public key can be decrypted by the private key, and vice versa.

For an in-depth explanation of how PGP works and how the defect takes hold, click here http://www.silicon.com/a55074

Robert Lemos writes for News.com

Add Comment Add comment  Printer Friendly Print story with   Email Story Email story  
In
Applications

Operating Systems

SOA/Web Services

Malware

Security Strategy


Related Links

Encryption guru joins Hushmail

Security shock: Cryptologists find flaw in PGP

Top secret: PGP secures Linux

NAI founder opens up on PGP source code

Office has "kindergarten crypto mistake"

  1. Zones
  2. Management
  3. Networks
  4. Software
  5. IT Services
  6. Hardware
  1. Verticals
  2. Public Sector
  3. Financial Services
  4. Retail & Leisure

Bob Tarzey Why you must rein in your power users When they do damage, it can be catastrophic to your business

Jon Collins Is losing a mobile device really such a big deal? How to minimise the damage to your business

UK ID cards rollout hit by delay as launch date revealed

Bletchley Park's World War Two codebreakers in their own words

'You're responsible for your own wi-fi security' say ISPs

'UK must up privacy safeguards following Phorm'

The top 10 technologies you need to plan for next year


  • Jobs
Websphere Message Broker Contract

I am looking for an experienced Websphere Message Broker contractor on what will be a 3 month contract Essentials: - Websphere Message Broker 6.1 ...

SAP PI Consultant

Standard PI messages from RWB / MONI and defect analysis - Performance tuning and monitoring - Troubleshooting experience - Developing ABAP proxy ...

Embedded Software Engineer (Encryption/Midlands)

Cryptography Systems - Embedded Software Engineer Midlands - Perm 35k - 45k + bens High level role within successful team of engineers developing ...

Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.

JD Edwards Spotlight Video

CEO Dashboard Management: Why Creating Visual Reports You Can't Hide From Will Help...

Virtual Private Servers (VPS)

Looking for a fast payback? 10 Minutes with Free Tool Can Save Thousands

Martin Brokers cashes in on back-up swap

VocaLink makes virtualisation pay

Sony Pictures sets sights on best IT Oscar

Co-op Group kicks "server sprawl" into touch

Arts Council gets tech troubleshooting boost

Torex tech treats Thorntons to quicker sales

Stories from the web...


eBay app lets users bid from a BlackBerry

ID card database: 500 names added in first month

Women in IT: Tech has an image problem

Tesco Mobile to get a taste of Apple's iPhone

Marketing chiefs: Are you spamming your customers?

IT skills shortage squashed by recession?




Quick Sitemap Links: