Experts play down flaw of encryption software

[InfoSec News <isn () C4I ORG>]

http://www.nandotimes.com/technology/story/0,1643,500466235-500712408-503931029-0,00.html

By ANICK JESDANUN, Associated Press

NEW YORK (March 21, 2001 11:45 p.m. EST http://www.nandotimes.com) -
The gravity of a flaw in the most popular software for sending
encrypted e-mail was questioned Wednesday by security experts.

The vulnerability in Pretty Good Privacy, disclosed by two Czech
cryptologists a day earlier, could allow a hacker to use someone
else's electronic signature to send messages.

That, in essence, could mean the forging of signatures increasingly
used to authorize such things as financial transactions.

Philip Zimmermann, the creator of PGP, confirmed the flaw exists, but
questioned how useful it would be to attackers.

A hacker would first have to bypass security firewalls and gain access
to the recipient's hard drive. If a hacker can get that far,
Zimmermann said, the user has greater worries, including the ability
for someone to install software to monitor keystrokes like passwords.

The Czech cryptologists, working for Prague-based ICZ, announced their
discovery on Tuesday. The company said the discovery happened while
conducting research for the Czech National Security Authority.

Although fewer than 10 million people worldwide currently use PGP, the
use of e-signatures could rise now that the U.S. government gives
legal standing to documents "signed" online. An e-signature law took
effect Oct. 1, although it did not detail permissible methods.

PGP uses a dual-key mechanism in which one key locks a message and a
different key unlocks it.

People who want to receive scrambled mail distribute a public key that
locks messages. A sender uses a person's public key to encrypt the
message, which can be unlocked only by the private key of the
recipient.

A separate set of keys is used for authentication, which ensures a
message actually comes from the sender and not an impostor. It also
helps verify that the message isn't altered in transit.

To access either of the private keys, the e-mail recipient normally
has to type in a password.

The flaw discovered by the Czech cryptologists could let outsiders use
the private key without a password - by making modifications to the
file that contains the key.

But it only affects the authentication function of PGP, not decoding,
said Mark McArdle, vice president for PGP engineering at Network
Associates Inc., which sells the software's most popular version.

And, Zimmermann said, a user would quickly realize the file has been
modified and get a replacement, so the window for an attacker to forge
messages is narrow.

David Bowman, chief technical officer for Hush Communications Corp.,
another PGP software maker, said PGP itself isn't broken.

"They haven't broken the encryption. They haven't cracked the pass
phrases. They've found a way around it."

McArdle said the software should be easily fixable.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".