Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier et al Report PGP Vulnerability

Posted by timothy on from the speak-plainly dept.

SpaceTaxi writes: "Researchers reported that they were able to intercept and modify a PGP encrypted message so that, IF it is sent back to the attacker, the original message could be read by the attacker." The paper comes from Kahil Jallad, Jonathan Katz, and Bruce Schneier. Here is the Yahoo! article.

7 of 204 comments (clear)

  1. Re:Compressed data by Anonymous Coward · · Score: 1, Interesting

    I heard (on the internet, so it must be true) that using compression with SSL may result in weaker encryption (ie mod_gzip over https). Anyone know if this is true or not? Is it safe to use mod_gzip and friends over https?

  2. Re:Katz? by tbmaddux · · Score: 4, Interesting
    Surely this can't be the same guy...
    It's not. This is the guy.
    --
    Can't you see that everyone is buying station wagons?
  3. Re:Affects implementation, not the standard by Beryllium+Sphere(tm) · · Score: 4, Interesting

    The fact that human intervention is required also limits the damage that can be done.

    The attack would need to be repeated for every new value of the session key, or in other words for every message.

    Even the most naive person, after a few rounds, would either get suspicious or stop using PGP.

    There are times when disclosure of even one or two messages would be catastrophic, of course.

    I'd argue that there is a design flaw here: a failed decryption should only return one bit of information, namely "decryption failed", and not provide a potential adversary with algorithm output. The subtlety is that the attack doesn't involve a failed decryption. It's a valid decryption, with correct key, of unwanted ciphertext.

    Signing before encryption would be a countermeasure.

    This attack lends some support to a heretical suggestion Larry Randall made on the pgp-users mailing list. He suggested restricting distribution of the "public" key to only authorized correspondents. Sounds nonsensical at first, and doesn't apply to most threat models and usage models, but he's got a point. If you allow anybody in the world to send you encrypted email, you're allowing anyone in the world to operate your decryption system with chosen input. It's like going out in public without your tinfoil hat :-)

  4. This is such old news..... by Anonymous Coward · · Score: 1, Interesting

    This type of attack was mentioned in Applied Cryprography by Schneier himself, p42.....

    Yawn....

  5. This is a EMAIL CLIENT flaw, not a pgp flaw. by TrentTheThief · · Score: 5, Interesting

    Please, read this article a with an eye to word meanings and English usage.

    This is a setup and usage problem in the email client, not in a flaw in PGP.

    If a person is fool enough to leave their keyring available to the mail client (that's what the floppy disk in my pocket is for), to not remove their passphrase from memory, and to automatically include the plain-text version of an encrypted message when replying, they deserve no security.

    This so-called "flaw" in PGP is on a par with calling an OUTLOOK email flaw a virus.

  6. Well known "flaw" by srn_test · · Score: 3, Interesting

    This is a well known attack, isn't it? I can remember giving a talk on how to use PGP and telling people to never:

    a) Sign random garbage sent to them by anyone (and sent it back), or
    b) Decrypt stuff and send it back.

  7. Re:cribs by Beryllium+Sphere(tm) · · Score: 3, Interesting

    >This is how the allies broke the German enigma in World War 2.

    I haven't read about any chosen-ciphertext attacks during the Enigma crack. One line of attack was that messages began with a repetition of a three-character sequence, so certain keys were known to be impossible for given ciphertext. Another was that some operators got sloppy and used guessable keyboard combinations (the Hut 6 people called those the "sillies"). Then there was the commander who sent the exact same status report every day with a different key.

    Unless "This is how" refers to depending on mistakes by the target. The German Navy codes took longer to crack because the operators were better disciplined. Venona is a superb example of waiting for the target to do something stupid -- the US was decrypting one time pads. Absolutely impossible even in theory, except that the cipher clerks at the Soviet embassy were re-using keying material.

    >This is the problem with programs like PGP, they're so well made that they allow a user who has no idea how they work to use them

    You've got a point there. On the other hand, a hard-to-use program just makes it easier to screw up. For example, early versions of PGP required a manual step to self-sign your public key. The result was that even a professional cryptographer wound up putting a non-self-signed key onto the key servers.

    I worry about just your point -- security may absolutely require users to be knowledgeable. If so, it becomes in general impossible.