WASHINGTON -- A Czech information security firm has found a flaw in Pretty Good Privacy that permits digital signatures to be forged in some situations.
Phil Zimmermann, the PGP inventor who's now the director of the OpenPGP Consortium, said on Wednesday that he and a Network Associates (NETA) engineer verified that the vulnerability exists.
ICZ, a Prague company with 450 employees, said that two of its cryptologists unearthed a bug in the OpenPGP format that allows an adversary who breaks into your computer to forge your e-mail signature.
Both Zimmermann and the Czech engineers, Vlastimil Klima and Tomas Rosa, point out that the glitch does not affect messages encrypted with PGP. OpenPGP programs -- including GNU Privacy Guard and newer versions of PGP -- use different algorithms for signing and scrambling, and only the digital signature method is at risk.
PGP and its offspring are by far the most popular e-mail encryption programs in the world. Nobody has disclosed a flaw in their message-scrambling mechanisms, but PGP owner Network Associates suffered an embarrassment last August when a German cryptanalyst disclosed a flaw that allows an attacker to hoodwink PGP into not encoding secret information properly.
In this case, someone wishing to impersonate you would need to gain access to your secret key -- usually stored on a hard drive or a floppy disk -- surreptitiously modify it, then obtain a message you signed using the altered secret key. Once those steps are complete, that person could then digitally sign messages using your name.
"PGP or any program based on the OpenPGP format that does not have any extra integrity check will not recognize such modification and it will allow you to sign a message with the corrupted key," says Rosa, who works at Decros, an ICZ company. Rosa says he demonstrated the vulnerability with PGP 7.0.3.
OpenPGP's Zimmermann downplayed the attack, saying that it requires someone trying to impersonate you to physically or electronically break into your computer.
"It's not an attack that is going to be available to your opponent unless you're careless with your private key," Zimmermann said. "We specifically warn users to protect their private keys. Users who don't protect their private keys have always been at risk -- this is common sense."
Even before Klima and Rosa found this glitch, an attacker who managed to snatch someone's private key could try to break the passphrase that protected it -- and many people appear to rely on weak passphrases that can be guessed by a human or a machine.
"It's not a realistic attack," Zimmermann said. "Much worse attacks are possible if (an adversary) can get that far."
The exploit works by attacking the Digital Signature Algorithm's so-called discrete logarithm problem. DSA keys are typically stored in a file called secring.skr, and Klima and Rosa found that they could successfuly insert a replacement key in it.
Network Associates did not return phone calls or e-mail messages asking if they had any plans to release a fixed version of PGP.
Klima said that on Thursday, he will publish an English-language description of their exploit on ICZ's web site. "We promised Network Associaties that we will not release these details until tomorrow," he said.
