Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier et al Report PGP Vulnerability

Posted by timothy on from the speak-plainly dept.

SpaceTaxi writes: "Researchers reported that they were able to intercept and modify a PGP encrypted message so that, IF it is sent back to the attacker, the original message could be read by the attacker." The paper comes from Kahil Jallad, Jonathan Katz, and Bruce Schneier. Here is the Yahoo! article.

3 of 204 comments (clear)

  1. Re:Katz? by tbmaddux · · Score: 4, Interesting
    Surely this can't be the same guy...
    It's not. This is the guy.
    --
    Can't you see that everyone is buying station wagons?
  2. Re:Affects implementation, not the standard by Beryllium+Sphere(tm) · · Score: 4, Interesting

    The fact that human intervention is required also limits the damage that can be done.

    The attack would need to be repeated for every new value of the session key, or in other words for every message.

    Even the most naive person, after a few rounds, would either get suspicious or stop using PGP.

    There are times when disclosure of even one or two messages would be catastrophic, of course.

    I'd argue that there is a design flaw here: a failed decryption should only return one bit of information, namely "decryption failed", and not provide a potential adversary with algorithm output. The subtlety is that the attack doesn't involve a failed decryption. It's a valid decryption, with correct key, of unwanted ciphertext.

    Signing before encryption would be a countermeasure.

    This attack lends some support to a heretical suggestion Larry Randall made on the pgp-users mailing list. He suggested restricting distribution of the "public" key to only authorized correspondents. Sounds nonsensical at first, and doesn't apply to most threat models and usage models, but he's got a point. If you allow anybody in the world to send you encrypted email, you're allowing anyone in the world to operate your decryption system with chosen input. It's like going out in public without your tinfoil hat :-)

  3. This is a EMAIL CLIENT flaw, not a pgp flaw. by TrentTheThief · · Score: 5, Interesting

    Please, read this article a with an eye to word meanings and English usage.

    This is a setup and usage problem in the email client, not in a flaw in PGP.

    If a person is fool enough to leave their keyring available to the mail client (that's what the floppy disk in my pocket is for), to not remove their passphrase from memory, and to automatically include the plain-text version of an encrypted message when replying, they deserve no security.

    This so-called "flaw" in PGP is on a par with calling an OUTLOOK email flaw a virus.