All versions of PGP are the same (binary). They use the same sort of model as a lot of shareware - if you buy a licence, it "unlocks" some new features for you. Handy for the user, makes testing easier, etc.
A lot of people have posted comments to the effect of "If they want to get at your secret email, they will anyway despite PGP". Don't forget that GnuPG/PGP has a huge other use as well. OpenPGP signatures are what protects a huge number of software packages from tampering.
The recent trojanings of OpenSSH, etc, would have been caught even earlier if users had checked the OpenPGP signature distributed along with the tarball.
They're relying on users to either Play Nice or not be technically inclined enough to compile their own copy. It's not that absurd, really. How many people actually compile their own PGP? (How many people *should* is another issue).
You are correct. This is only an attack on encrypted messages. If the message is encrypted & signed, then the signature failure will give away the attack.
This is why the message integrity check in GnuPG foils the attack - it is similar to a signature.
Basically, the only message that is vulnerable to this attack is unsigned, uncompressed, and having no message integrity check. On top of all that, the attacker has to persuade the victim to forward back the decrypted gibberish.
Remember also that no version of PGP or GnuPG generates uncompressed messages by default.
In reality, by default, no OpenPGP software is really affected by this. Both PGP and GnuPG compress the messages which halts the attack. On top of that, GnuPG uses a message integrity check which also halts the attack.
A given message is only vulnerable if the sender disables compression and message integrity checking. It is unfortunate the news reports don't say this (not as good a story, I suppose), but the paper makes it quite clear.
The message integrity check is part of OpenPGP - it is discussed in detail in 2440bis, the draft that will be replacing RFC-2440, which was the original OpenPGP RFC.
Remember, this is not a new attack. The potential for this attack has been known for a long time, and was one of the reasons the message integrity check was added quite a while ago. What is new with this paper is a demonstration of the exploit in action.
This is not how it works. GnuPG always uses a message integrity check unless it is communicating with PGP which does not understand the integrity check. At the same time, when it needs to communicate with PGP, it uses ZIP (not ZLIB) compression, which foils the attack. That section of the paper is incorrect.
The authors were informed, but unfortunately not in time for the conference deadline.
Slashdot Mirror
All versions of PGP are the same (binary). They use the same sort of model as a lot of shareware - if you buy a licence, it "unlocks" some new features for you. Handy for the user, makes testing easier, etc.
Use --status-fd. It was added for just this situation. GnuPG will spit out a set of standard status tags as it works.
A lot of people have posted comments to the effect of "If they want to get at your secret email, they will anyway despite PGP". Don't forget that GnuPG/PGP has a huge other use as well. OpenPGP signatures are what protects a huge number of software packages from tampering.
The recent trojanings of OpenSSH, etc, would have been caught even earlier if users had checked the OpenPGP signature distributed along with the tarball.
They're relying on users to either Play Nice or not be technically inclined enough to compile their own copy. It's not that absurd, really. How many people actually compile their own PGP? (How many people *should* is another issue).
If we can just get a mailer with promiscuous relay turned off into that distribution, we could cut down on the tidal wave of spam coming from China.
An encrypted and signed message is not just an encrypted message with a signature tacked on. Rather, it is Encrypt(Sign(plaintext)).
The signature is inside the encrypted blob. If the attack here was tried, the signature would become invalid, and warn the user.
You are correct. This is only an attack on encrypted messages. If the message is encrypted & signed, then the signature failure will give away the attack.
This is why the message integrity check in GnuPG foils the attack - it is similar to a signature.
Basically, the only message that is vulnerable to this attack is unsigned, uncompressed, and having no message integrity check. On top of all that, the attacker has to persuade the victim to forward back the decrypted gibberish.
Remember also that no version of PGP or GnuPG generates uncompressed messages by default.
In reality, by default, no OpenPGP software is really affected by this. Both PGP and GnuPG compress the messages which halts the attack. On top of that, GnuPG uses a message integrity check which also halts the attack.
A given message is only vulnerable if the sender disables compression and message integrity checking. It is unfortunate the news reports don't say this (not as good a story, I suppose), but the paper makes it quite clear.
The message integrity check is part of OpenPGP - it is discussed in detail in 2440bis, the draft that will be replacing RFC-2440, which was the original OpenPGP RFC.
Remember, this is not a new attack. The potential for this attack has been known for a long time, and was one of the reasons the message integrity check was added quite a while ago. What is new with this paper is a demonstration of the exploit in action.
This is not how it works. GnuPG always uses a message integrity check unless it is communicating with PGP which does not understand the integrity check. At the same time, when it needs to communicate with PGP, it uses ZIP (not ZLIB) compression, which foils the attack. That section of the paper is incorrect.
The authors were informed, but unfortunately not in time for the conference deadline.
It's worth pointing out here that the code was signed, and the signature worked - it shows the tarball as modified.
The catch is that not enough people actually checked the signature.
Another good TXT record:
dig txt jabberwocky.com
or if you're really into it, use "1.jabberwocky.com" through "7.jabberwocky.com"
It's hard to leave MS out of this since it only infects their products. It's even named after Gates' WIFE!