European cryptographic researchers have uncovered a serious security flaw in both the Unix and Windows versions of Network Associates's PGP software 5.5 through 6.5.3.
The flaw allows a savvy attacker to alter the victim's PGP public certificate and read any message encrypted with the altered certificate.
A certificate is software that unites the user's identity with a set of encryption keys and is used for signing, encrypting and decrypting messages.
European researchers Ralf Senderek and Stephen Early disclosed their findings in a paper published Thursday online at http:senderek.de/security/key-experiments.html.
Network Associates acknowledged the paper's findings, emphasizing that the company is working on a software patch to prevent any attacker from exploiting this flaw.
"We'll have a patch out later today [last Thursday in the US] available at both pgp.com and nai.com," says Mike Wallach, president of PGP Security. "To our knowledge, no customer data has been compromised."The flaw centres on the way PGP implements a so-called "data-recovery" feature that lets an authorised third party gain access to data encrypted with the user's PGP certificate.
"The issue is an attacker can add an additional key to the user's public-key certificate to be used as an additional decryption key," acknowledges Mike Jones, PGP business line manager at Network Associates.
As it turns out, this flaw has actually existed since 1997, back when Phil Zimmermann, the original developer of PGP, added the data-recovery feature as he sought to commercialize the product for corporate use, Jones points out. As a safety measure, corporations want to have a way to decrypt data that their employees encrypt, Jones notes.
At the time, the federal government was also pushing hard to get companies to add so-called "key escrow" type technologies to their encryption products so that law enforcement could obtain access to encrypted data on demand.
Network Associates bought PGP in December 1997. The three-year-old flaw, not publicised until Thursday, lets an attacker decrypt PGP data but does not let the attacker impersonate the PGP certificate holder, Jones emphasises.