[Fwd: Have they found a serious PGP vulnerability?!]

[Ken Brown]

Forwarded without permission from BUGTRAQ. I have no idea if there is
any substance in the rumour,  though I imagine there probably isn't. 

Ken Brown

Pavel Kankovsky wrote:
> 
> The rumour goes around that a group of cryptologists working for a Czech
> company called ICZ has discovered a fatal problem in PGP as a side effect
> of their work on a special crypto device for the Czech government.
> 
> If you understand Czech (or if you want to check all the keywords are
> there), you can read an article titled "Do you trust PGP? A mistake!"
> about the whole thing at http://www.swnet.cz/article.php?id=15096
> 
> Allegedly, there is a vulnerability in OpenPGP format definition (sic)
> allowing an attacker to circumvent (sic) the encryption used to protect
> private signing keys and to recover those keys in real time (sic).
> 
> To make the article sound a little more like a piece of FUD, they add
> that only higher and more demanding professional systems (sic), when
> implemented and used correctly, can be considered really secure.
> 
> No details are available right now and the data included in the article
> seems to be partially self-contradicting (on the other hand, it can be
> just a result of standard journalistic post-production). They say there
> will be a press conference today (March 20) at 15:00 MET where ICZ people
> will shed more light on this issue.
> 
> Personally, I think they have found some new obscure attack (perhaps some
> side-channel attack) that can be used when some bizzare conditions are
> met, or maybe they have reinvented the wheel, and have discovered a Trojan
> horse can steal private keys when PGP decrypts them in order to be able to
> use them.
> 
> --Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
> "Resistance is futile. Open your source code and prepare for assimilation."