Researchers probe PGP security flaw

A vulnerability in the Pretty Good Privacy (PGP) encryption protocol could make it possible for recipients of encoded messages to...

A vulnerability in the Pretty Good Privacy (PGP) encryption protocol could make it possible for recipients of encoded messages to be tricked into sending unencrypted messages to e-mail eavesdroppers.

The loophole, which researchers have known of for several years, is a difficult one to exploit, largely because the pre-encryption compression done by most programs foils the attack.

However, implementations that precisely adhere to the widely used OpenPGP standard would be susceptible to attack, according to Bruce Schneier, founder and chief technical officer of IT security services firm Counterpane Internet Security and Kahil Jallad and Jonathan Katz.

The researchers this week released a paper documenting tests of such an attack and recommended changes to the standard.

The attack involves an element of social engineering as well as code hacking. Known as a "chosen-cipher attack," the ploy relies on users having their e-mail software set to automatically decrypt incoming messages.

If an attacker can intercept a message en route, they could apply an algorithm to garble the message, then pass it along to the intended recipient with their own e-mail address in the reply line. Receiving the mangled message, the recipient might reply back to ask what was being sent.

Completing the attack requires receiving from the recipient a quoted copy of the garbled message, after it has been run through the recipient's decryption. That decrypted text can then be de-scrambled by the attacker.

Schneier, together with Jallad and Katz, who were with Columbia University when the research was conducted, tested the attack against two popular PGP implementations, PGP 2.6.2 and GnuPG.

Both programs compress data by default before encrypting it, complicating or thwarting the attack. However users can disabled that option.

PGP and GnuPG users should avoid turning off compression and be wary of including the full text of messages when sending replies, the researchers said.

Further details on the vulnerability and the researchers' are available online at and will be presented at next month's 2002 Information Security Conference.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.