PGP, or Pretty Good Privacy, software is an internationally popular
means of encryption to protect the confidentiality of e-mails. The
flaw, discovered by Rald Senderek, a German researcher, could allow
an unauthorised third party to read encrypted e-mails, rendering
the software useless.
The flaw lies in the public and private key system used by PGP.
It allows a hacker to alter the victim’s PGP public certificate and
read any message encrypted with the altered certificate. The
certificate is software that associates the user with the pair of
keys and is used for signing, encrypting and decrypting messages.
An attacker can add an additional key to the user’s public key
certificate to be used as an additional decryption key.
Mike Wallach, president of PGP Security at Network Associates
said: “To our knowledge, no customer data has been compromised.”
The company emphasised that exploiting the flaw would be difficult
and it criticised Senderek for publishing the details on-line
without first approaching Network Associates, describing his action
as “irresponsible.”
The flaw was not previously detected because until this year, it
was illegal in the US to publish encryption source code on-line.
Senderek and others studied the source code when Network Associates
posted it on-line for peer review.
