OpenPGP flaw confirmed

Czechoslovakian security group ICZ, which made a vague warning about vulnerabilities in PGP encryption software at the start of the week, has released a more detailed advisory of the flaw.

The vulnerability seems to be inherent to OpenPGP, the security format proposed as a standard in relation to encryption and digital signatures. The format is used in other applications apart from PGP, including GNU Privacy Guard.

ICZ claims to have successfully verified and demonstrated the attack, which leaves private keys vulnerable, on PGP version 7.0.3, which is typically considered as highly secure.

Vlastimil Klima and Tomas Rosa, cryptologists at ICZ, have branded the protection offered by OpenPGP as "illusory", pointing out that attackers would not need to attack the cipher itself, but can simply bypass it as well as a user's password.

"A slight modification of the private key file followed by capturing a signed message is enough to break the private key," reads the advisory. A user's private key can then be calculated and the attacker can sign any message as the original user.

"The completed analysis of the OpenPGP format has discovered serious defects that make OpenPGP-based applications vulnerable. Similar vulnerabilities can be expected in other asymmetrical cryptographic systems, including systems based on elliptic curves," said Klima and Rosa.

As a result, ICZ is appealing for the very careful design of cryptographic systems.

The full advisory for the vulnerability can be found here.

See also:

Careless encryption key to privacy breach

Student discovers PGP flaw  20 Sep 2001

Developers call for web security standard

A group of security developers has called for an industry standard for internet security testing.  22 Mar 2001

News Wrap: PGP bug, e-commons, Intel, job losses

Bug found in encryption software; Pressure group wants e-commons; Intel beefs up storage with German acquisition; Freeloader.com falls off bandwagon; DoubleClick announces job cuts.  21 Mar 2001

OpenPGP set to become global standard

Godfather of encryption and creator of PGP, Phil Zimmermann, has moved over to security company Hush Communications, in a bid to set a global standard for encryption in digital communication and strike a killer blow for privacy on the web.  26 Feb 2001

Software flaws put internet at risk

Four separate vulnerabilities have been discovered in the software used by most of the internet's domain name system servers, putting parts of the network at risk.  30 Jan 2001

Hackers train their sights on VPNs

Hackers are aiming their technical weaponry at security vulnerabilities in company VPNs, security experts have warned.  15 Jun 2000

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!