PGP encryption defect uncovered
Published: 12 Aug 2002 16:12 BST
Researchers claim to have detected a flaw in a popular email encryption technology that could allow hackers to read protected messages.
The flaw occurs in software that uses Pretty Good Privacy, a tool for scrambling email. However, in order to exploit the vulnerability, hackers must convince their targets to reply to a sabotaged email message.
Researchers working at Columbia University discovered the flaw, which requires a hacker to intercept and modify an encrypted message. If the recipient attempts to decrypt the message, he or she will be presented with a string of gibberish. If the recipient then replies to that message, saying, for instance, "what were you trying to say?" and quotes the string of gibberish, the attacker could use that response to decode the original message.
The paper's authors -- Kahil Jallad, Jonathan Katz and Bruce Schneier -- say that the so-called ciphertext attacks are "quite feasible" and are of "serious concern". They provide details on the threat in a paper that is scheduled to be presented at the Information Security Conference 2002 Proceedings later this year.
Pretty Good Privacy, or PGP, has been around for more than 10 years. It's been best known as a "freeware" program, meaning that it was available at no cost. Network Associates tried to make a go at selling PGP to corporations, but gave up on that idea earlier this year.
The flaw also affects OpenPGP, an open-source version of the encryption software.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
49 out of 84 people found this useful
- Share this article:
