Security flaw discovered in PGP

Security flaw discovered in PGP

European cryptographic researchers have uncovered a serious security flaw in both the Unix and Windows versions of Network Associates's PGP software 5.5 through 6.5.3.

The flaw allows a savvy attacker to alter the victim's PGP public certificate and read any message encrypted with the altered certificate.

A certificate is software that unites the user's identity with a set of encryption keys and is used for signing, encrypting and decrypting messages.

European researchers Ralf Senderek and Stephen Early disclosed their findings in a paper published Thursday online at

Network Associates acknowledged the paper's findings, emphasizing that the company is working on a software patch to prevent any attacker from exploiting this flaw.

"We'll have a patch out later today [last Thursday in the US] available at both and," says Mike Wallach, president of PGP Security. "To our knowledge, no customer data has been compromised."The flaw centres on the way PGP implements a so-called "data-recovery" feature that lets an authorised third party gain access to data encrypted with the user's PGP certificate.

"The issue is an attacker can add an additional key to the user's public-key certificate to be used as an additional decryption key," acknowledges Mike Jones, PGP business line manager at Network Associates.

As it turns out, this flaw has actually existed since 1997, back when Phil Zimmermann, the original developer of PGP, added the data-recovery feature as he sought to commercialize the product for corporate use, Jones points out. As a safety measure, corporations want to have a way to decrypt data that their employees encrypt, Jones notes.

At the time, the federal government was also pushing hard to get companies to add so-called "key escrow" type technologies to their encryption products so that law enforcement could obtain access to encrypted data on demand.

Network Associates bought PGP in December 1997. The three-year-old flaw, not publicised until Thursday, lets an attacker decrypt PGP data but does not let the attacker impersonate the PGP certificate holder, Jones emphasises.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.


ARN Innovation Awards 2022

Innovation Awards is the market-leading awards program for celebrating ecosystem innovation and excellence across the technology sector in Australia.

EDGE 2022

EDGE is the leading technology conference for business leaders in Australia and New Zealand, built on the foundations of collaboration, education and advancement.

Show Comments