[Fwd: Have they found a serious PGP vulnerability?!]
Forwarded without permission from BUGTRAQ. I have no idea if there is any substance in the rumour, though I imagine there probably isn't. Ken Brown Pavel Kankovsky wrote:
The rumour goes around that a group of cryptologists working for a Czech company called ICZ has discovered a fatal problem in PGP as a side effect of their work on a special crypto device for the Czech government.
If you understand Czech (or if you want to check all the keywords are there), you can read an article titled "Do you trust PGP? A mistake!" about the whole thing at http://www.swnet.cz/article.php?id=15096
Allegedly, there is a vulnerability in OpenPGP format definition (sic) allowing an attacker to circumvent (sic) the encryption used to protect private signing keys and to recover those keys in real time (sic).
To make the article sound a little more like a piece of FUD, they add that only higher and more demanding professional systems (sic), when implemented and used correctly, can be considered really secure.
No details are available right now and the data included in the article seems to be partially self-contradicting (on the other hand, it can be just a result of standard journalistic post-production). They say there will be a press conference today (March 20) at 15:00 MET where ICZ people will shed more light on this issue.
Personally, I think they have found some new obscure attack (perhaps some side-channel attack) that can be used when some bizzare conditions are met, or maybe they have reinvented the wheel, and have discovered a Trojan horse can steal private keys when PGP decrypts them in order to be able to use them.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
At 9:36 AM +0000 3/21/01, Ken Brown wrote:
If you understand Czech (or if you want to check all the keywords are there), you can read an article titled "Do you trust PGP? A mistake!" about the whole thing at http://www.swnet.cz/article.php?id=15096
There is an English translation: <http://www.i.cz/en/onas/tisk4.html>. As of this morning I haven't yet been able to determine if there's anything to their assertion. -- john noerenberg jwn2@qualcomm.com -------------------------------------------------------------------------- Peace of mind isn't at all superficial, really. It's the whole thing. That which produces it is good maintenance; that which disturbs it is poor maintenance. -- Zen and the Art of Motorcycle Maintenance, Robert M. Pirsig, 1974 --------------------------------------------------------------------------
At 10:56 AM 3/21/01 -0600, John W Noerenberg II wrote:
At 9:36 AM +0000 3/21/01, Ken Brown wrote:
If you understand Czech (or if you want to check all the keywords are there), you can read an article titled "Do you trust PGP? A mistake!" about the whole thing at http://www.swnet.cz/article.php?id=15096
There is an English translation: <http://www.i.cz/en/onas/tisk4.html>. As of this morning I haven't yet been able to determine if there's anything to their assertion.
A repeat, here: http://www.nytimes.com/2001/03/21/technology/21CODE.html It has almost no details, doesn't even mention a version number. Declan's fwd appears to have more info - but this one does mention a press release that will become available on friday,,, Reese
participants (3)
-
John W Noerenberg II
-
Ken Brown
-
Reese