PGP Flaw Leaves E-mails Vulnerable

Aug 12, 2002

Ryan Naraine

Security researchers have unearthed a flaw within the popular PGP encryption tool that could allow snoopers to decode sensitive e-mails.

PGP , or Pretty Good Privacy, is the defacto standard for encryption on the Internet and is widely thought of as invincible but researchers at Counterpane Internet Security Inc and Columbia University say they have found a way to modify a PGP-encrypted e-mail without having to descrambling it.

In an advisory, Counterpane said an attacker could repackage the message and pass the modified message on to the intended recipient of the original message.

It said the text within the message would appear as gibberish and could lead to a request for a resent. If the original text is included in the resend request, the adversary may be able to determine the original message.

The detection of the flaw has forced an update to the OpenPGP standard, which is expected to be released Monday.

The researchers found the flaw in both PGP and GnuPG but noted that the attacks largely failed when data is compressed before encryption.

While the flaw is described as "serious," the researchers found it was very difficult to exploit and urged users of PGP to avoid including full text of messages when replying.

"Users of GnuPG and PGP should be aware that compression should not be turned off. Compression is turned on by default, but a user sending a compressed file will still be at risk from a chosen-ciphertext attack," according to the advisory. If compression is not used, or if compressed files are sent, the chosen-ciphertext attack could succeed against both GnuPG and PGP. The security outfit said GnuPG is also vulnerable if the user does not view the warning message that the encrypted data fails the message integrity check.

"In "batch mode "operation this warning would probably go unnoticed by the user since in this case the decrypted," it added.

The research showed the OpenPGP standard, as written, was vulnerable to chosen ciphertext attack due to the following:

  • No explicit requirement of a message integrity check.
  • Optional implementation of compression.
  • Requiring acceptance of "uncompressed" as a valid form of compression.
  • "Developers of front end software for GnuPG need to propagate integrity violation warnings to the users. This is important not only for protection against chosen ciphertext attacks -- integrity protection is useless if the user is not warned when it has been violated," the company said.


    0 Comments (click to add your comment)
    Comment and Contribute

    Your comment has been submitted and is pending approval.



     (click to add your comment)

    Comment and Contribute

    Your name/nickname

    Your email


    (Maximum characters: 1200). You have characters left.