Quantcast
Subscribe to magazine

Researchers Probe PGP Flaw

Hackers could thwart encryption technology in some cases, security experts warn.

Stacy Cowley, IDG News Service

  • 0 Yes
  • 0 No

A vulnerability in the Pretty Good Privacy (PGP) encryption protocol could let a snooper trick recipients of encoded messages into deciphering them and sending them back to the would-be spy, researchers warned Monday as they released a paper documenting tests of such an attack.

The loophole, which researchers have known of for several years, is a difficult one to exploit, the researchers say. Typically, the pre-encryption compression done by most PGP applications foils the attack. Still, implementations that precisely adhere to the widely used OpenPGP standard would be susceptible to attack, according to the researchers, who recommend changes to the standard.

The attack involves an element of social engineering as well as code-hacking. Known as a "chosen-cipher attack," the ploy relies on a user having set his e-mail software to automatically decrypt incoming messages. If an attacker can intercept a message en route, he could apply an algorithm to garble the message, then pass it along to the intended recipient with his own e-mail address in the reply line. Receiving the mangled message, the recipient might reply back to ask what was being sent.

Completing the attack requires receiving from the recipient a quoted copy of the garbled message, after it's been run through the recipient's decryption. That decrypted text can then be de-scrambled by the attacker.

Advice for Users

The attack was tested against two popular PGP implementations, PGP 2.6.2 and GnuPG. The tests were conducted by researchers Bruce Schneier, founder and chief technical officer of IT security services firm Counterpane Internet Security in Cupertino, California; and Kahil Jallad and Jonathan Katz, who were with Columbia University when the research was conducted. Both programs compress data by default before encrypting it, complicating or thwarting the attack, but that option can be disabled by users.

PGP and GnuPG users should avoid turning off compression and be wary of including the full text of messages when sending replies, the researchers said.

Further details on the vulnerability and the researchers' tests are available online from Counterpane. The research will be presented at the 2002 Information Security Conference, which begins in late September in São Paulo.

  • Recommend this story?
  • 0 Yes
    0 No

Print 65% more pages than with refilled inks. Trust Original HP Inks. Hit Print Reliably.

Featured APC Accessories For Your System
10% Off Entire Cart at Online Store

  • APC Back-UPS ES Safeguards your equipment from damaging surges and spikes that travel along your utility & data lines.
  • APC SurgeArrest Performance Highest level of protection for your professional computers, electronics and connected devices, as well as provides surge protection.

People who read this also read:

  • 2007 Microsoft Office Suites Comparison This paper compares and contrasts four suites of the 2007 Microsoft Office system: Microsoft Office Standard 2007, Microsoft Office Professional Plus 2007, Microsoft Office Enterprise 2007 and Microsoft Office Ultimate 2007. This paper is intended to help organizations understand the applications and capabilities offered, and to identify the suite that best fits their needs.
  • Windows Vista Migration: The Business Proposition It's not so much a matter of "if" but "when" for most organizations regarding migration to Windows Vista. Laying the groundwork now for this migration can yield higher ROI than waiting until later. This Computerworld Technology Briefing explains it all.

PC World's Marketplace