PGP flaw found by Czech firm allows dig sig to be forged

Declan McCullagh declan at well.com
Wed Mar 21 10:35:51 PST 2001 



http://www.wired.com/news/politics/0,1283,42553,00.html
   
   Your E-Hancock Can Be Forged
   by Declan McCullagh (declan at wired.com)
   10:20 a.m. Mar. 21, 2001 PST
   
   WASHINGTON -- A Czech information security firm has found a flaw in
   Pretty Good Privacy that permits digital signatures to be forged in
   some situations.
   
   Phil Zimmermann, the PGP inventor who's now the director of the
   OpenPGP Consortium, said on Wednesday that he and a Network Associates
   (NETA) engineer verified that the vulnerability exists.
   
   ICZ, a Prague company with 450 employees, said that two of its
   cryptologists unearthed a bug in the OpenPGP format that allows an
   adversary who breaks into your computer to forge your e-mail
   signature.
   
   Both Zimmermann and the Czech engineers, Vlastimil Klima and Tomas
   Rosa, point out that the glitch does not affect messages encrypted
   with PGP. OpenPGP programs -- including GNU Privacy Guard and newer
   versions of PGP -- use different algorithms for signing and
   scrambling, and only the digital signature method is at risk.
   
   PGP and its offspring are by far the most popular e-mail encryption
   programs in the world. Nobody has disclosed a flaw in their
   message-scrambling mechanisms, but PGP owner Network Associates
   suffered an embarrassment last August when a German cryptanalyst
   published a way that allows  an attacker to hoodwink PGP into not
   encoding secret information properly.
   
   In this case, someone wishing to impersonate you would need to gain
   access to your secret key -- usually stored on a hard drive or a
   floppy disk -- surreptitiously modify it, then obtain a message you
   signed using the altered secret key. Once those steps are complete,
   that person could then digitally sign messages using your name.
   
   "PGP or any program based on the OpenPGP format that does not have any
   extra integrity check will not recognize such modification and it will
   allow you to sign a message with the corrupted key," says Rosa, who
   works at Decros, an ICZ company. Rosa says he demonstrated the
   vulnerability with PGP 7.0.3.

   [...]

More information about the cypherpunks-legacy mailing list