Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Kill switches coming to iPhone, Android, Windows devices in 2015
Still deploying 11n Wi-Fi?  You might want to think again
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab
10 Hot Hadoop Startups to Watch
Server makers rushing out Heartbleed patches
Fortinet, McAfee, Trend Micro, Bitdefender battle in socially-engineered malware prevention test
Net neutrality ruling complicates US transition to IP networks
6 Social Media Mistakes That Will Kill Your Career
Canonical's new Ubuntu focuses on the long haul
4 Qualities to Look for in a Data Scientist
Big bucks going to universities to solve pressing cybersecurity issues
Mozilla appoints former marketing head to interim CEO
Box patches Heartbleed flaw in its cloud storage systems
Obama administration backs disclosing software vulnerabilities in most cases
6 Amazing Advances in Cloud Technology
Collaboration 2.0: Old meets new
Data breaches nail more US Internet users, regulation support rises
With a Wi-Fi cloud service, Ruckus aims to help hotspot owners make money
How to get Windows Phone 8.1 today
Secure browsers offer alternatives to Chrome, IE and Firefox
10 Big Data startups to watch
/

Security flaw discovered in Network Associates PGP software

Network Associates working on patch to correct problem.

Today's breaking news
Send to a friendFeedback


European cryptographic researchers have uncovered a serious security flaw in both the Unix and Windows versions of Network Associates PGP software 5.5 through 6.5.3 - a flaw that allows a savvy attacker to alter the victim's PGP public certificate and read any message encrypted with the altered certificate.

A certificate is software that unites the user's identity with a set of encryption keys and is used for signing, encrypting and decrypting messages.

European researchers Ralf Senderek and Stephen Early disclosed their findings in a paper published Thursday online at http:senderek.de/security/key-experiments.html.

Network Associates acknowledged the paper's findings, emphasizing that the company is working on a software patch to prevent any attacker from exploiting this flaw.

"To our knowledge, no customer data has been compromised," says Mike Wallach, president of PGP Security.

Network Associates executives originally wanted to make the software fix for PGP available Thursday, but they now say it will be available for download from PGP.com by 5 p.m. Friday.

The flaw centers on the way that PGP implements a so-called "data-recovery" feature that lets an authorized third party gain access to data encrypted with the user's PGP certificate.

"The issue is an attacker can add an additional key to the user's public-key certificate to be used as an additional decryption key," acknowledges Mike Jones, PGP business line manager at Network Associates.

As it turns out, this flaw has actually existed since 1997, back when Phil Zimmermann, the original developer of PGP, added the data-recovery feature as he sought to commercialize the product for corporate use, Jones points out. As a safety measure, corporations want to have a way to decrypt data that their employees encrypt, Jones notes.

At the time, the federal government was also pushing hard to get companies to add so-called "key escrow" type technologies to their encryption products so that law enforcement could obtain access to encrypted data on demand.

Network Associates bought PGP in December 1997. The three-year-old flaw, not publicized until Thursday, lets an attacker decrypt PGP data but does not let the attacker impersonate the PGP certificate holder, Jones emphasizes.

Network Associates has taken offline a central server in Santa Clara, Calif., containing PGP public-key certificates until the problem is resolved, which should occur by tomorrow morning.

The patch that Network Associates expects to soon release will correct two problems. It will prevent any additional decryption keys from being added to any field in the PGP certificate. And it will also work to verify where additional decryption keys came from to ensure there has been no tampering of a user's certificate.

Jones expresses some anger that the European researchers publicized their findings without first informing Network Associates of the flaw. "That was irresponsible of them," he says.

Network Associates says the discovered vulnerability is actually quite difficult to exploit. You have to modify the sender's public-key certificate, make sure the sender would have a copy of that and modify the recipient's key as well, Jones says. That is more easily said than done.

But it is certainly possible. And the PGP bug arises from the mistake that PGP originally made in not ensuring that all the additional decryption keys in the data-recovery field have to be signed to prevent the tampering.

"The reason the researchers could discover it at all is because we publish the source code for peer review," Jones adds.

However, until earlier this year, the government's encryption regulations did not permit encryption source code to be published online. So, the PGP source code was only available in a 43-volume, 65,000-page set of books sold in a Palo Alto bookstore called Printer's Ink.

Contact Senior Editor Ellen Messmer

Other recent articles by Messmer

RELATED LINKS


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.