Security News > 2001 > March > Experts play down flaw of encryption software
http://www.nandotimes.com/technology/story/0,1643,500466235-500712408-503931029-0,00.html By ANICK JESDANUN, Associated Press NEW YORK (March 21, 2001 11:45 p.m. EST http://www.nandotimes.com) - The gravity of a flaw in the most popular software for sending encrypted e-mail was questioned Wednesday by security experts. The vulnerability in Pretty Good Privacy, disclosed by two Czech cryptologists a day earlier, could allow a hacker to use someone else's electronic signature to send messages. That, in essence, could mean the forging of signatures increasingly used to authorize such things as financial transactions. Philip Zimmermann, the creator of PGP, confirmed the flaw exists, but questioned how useful it would be to attackers. A hacker would first have to bypass security firewalls and gain access to the recipient's hard drive. If a hacker can get that far, Zimmermann said, the user has greater worries, including the ability for someone to install software to monitor keystrokes like passwords. The Czech cryptologists, working for Prague-based ICZ, announced their discovery on Tuesday. The company said the discovery happened while conducting research for the Czech National Security Authority. Although fewer than 10 million people worldwide currently use PGP, the use of e-signatures could rise now that the U.S. government gives legal standing to documents "signed" online. An e-signature law took effect Oct. 1, although it did not detail permissible methods. PGP uses a dual-key mechanism in which one key locks a message and a different key unlocks it. People who want to receive scrambled mail distribute a public key that locks messages. A sender uses a person's public key to encrypt the message, which can be unlocked only by the private key of the recipient. A separate set of keys is used for authentication, which ensures a message actually comes from the sender and not an impostor. It also helps verify that the message isn't altered in transit. To access either of the private keys, the e-mail recipient normally has to type in a password. The flaw discovered by the Czech cryptologists could let outsiders use the private key without a password - by making modifications to the file that contains the key. But it only affects the authentication function of PGP, not decoding, said Mark McArdle, vice president for PGP engineering at Network Associates Inc., which sells the software's most popular version. And, Zimmermann said, a user would quickly realize the file has been modified and get a replacement, so the window for an attacker to forge messages is narrow. David Bowman, chief technical officer for Hush Communications Corp., another PGP software maker, said PGP itself isn't broken. "They haven't broken the encryption. They haven't cracked the pass phrases. They've found a way around it." McArdle said the software should be easily fixable. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
News URL
http://www.nandotimes.com/technology/story/0,1643,500466235-500712408-503931029-0,00.html