Security shock: Cryptologists find flaw in PGP

NEWS If confirmed, products such as Network Associates' email encryption software, Pretty Good Privacy (PGP), could be seriously flawed, leaving users' private keys open to attack. Czech cryptologists working for a company called ICZ claim to have discovered the bug whilst working on a government security project. Miroslav Votruba, marketing manager for ICZ, explained the scientists discovery: "The user's digital signature is protected by an encrypted key or cipher. We've proved that attackers do not need to attack the cipher itself, but they can simply bypass it as well as the user's password. A small alteration of the private key file followed by a capturing of a signed message is enough to break the private key," he said. Neil Barrett, one of UK's top security specialists, said the study signals the most significant discovery as it is the first time anyone has managed to crack an OpenPGP system. "It is a very interesting finding as it is the first of its kind. The question is, will this be the beginning of more cryptography attacks to come or just an isolated vulnerability," he said. But Douglas Hurd, business development manager for PGP at Network Associates, said that the Czech's discovery only goes half way to proving there is a vulnerability in the company's product. "They are suggesting if the person is able to get access to your private key inside your PC, it is theoretically possible to modify the key and put it back to your PC and then capture something which is signed with the modified key. But in order for this attack to be possible, the attacker should be able to have open access to your PC," he said.