Careless encryption key to privacy breach

Careless PGP users can be fooled into sending messages to an imposter, thanks to a flaw discovered by a Dutch mathematics student.

Pretty Good Privacy (PGP) encrypts email in transit between two trusted parties who have exchanged cryptographic keys.

Each user has two keys, one public and one that is kept secret. The public key is usually signed by users to verify the key is theirs.

The problem, discovered by Siewert van Otterloo, a student at the University of Utrecht, means it is possible to change the identity associated with a genuine key and use this to trick another PGP user.

But many attackers are faced with a crucial stumbling block: they must first create a real key and get it authenticated before they can alter its identity.

Former NATO information security director, Brian Gladman, said the issue is significant because very few people use PGP properly.

"To get reasonable security, you can't just buy it and use it. You have to understand it. If you know what you're doing, you should be fine, but if you don't, you can get into awful trouble," he said.

"This is not a weakness at a fundamental level of PGP, but in the way it is implemented," Gladman added.

"If someone really wants to fool someone, they can get a signature, change an aspect of it and it will appear the same.

"Only a small percentage of people actually use PGP properly. This is only going to affect people who aren't careful."

Gladman advises people not to use a key from someone they don't know or trust. As 'best practice' he recommends handing over an electronic key in person.

Van Otterloo contacted Network Associates when he found the problem and waited for a fix to be published before going public.

He discovered the issue in an older version of PGP, released as open source code in August 2000.

See also:

PGP inventor becomes hate target

Hijackers used the encryption program to help organise attacks  25 Sep 2001

Network Doctor: keeping emails secure

A look at how Secure Sockets Layer encryption built into browsers compares with Pretty Good Privacy's encryption with respect to protection for personal information?  25 Jul 2001

Group pushes PGP to secure email

Eleven privacy companies have launched the OpenPGP Alliance to encourage compatibility among private electronic communications systems.  31 May 2001

OpenPGP flaw confirmed

Czechoslovakian security group ICZ, which made a vague warning about vulnerabilities in PGP encryption software at the start of the week, has released a more detailed advisory of the flaw.  22 Mar 2001

OpenPGP set to become global standard

Godfather of encryption and creator of PGP, Phil Zimmermann, has moved over to security company Hush Communications, in a bid to set a global standard for encryption in digital communication and strike a killer blow for privacy on the web.  26 Feb 2001

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!