Researchers claim to have detected a flaw in a popular e-mail encryption technology that could allow hackers to read protected messages.
The flaw occurs in software that uses Pretty Good Privacy, a tool for scrambling e-mail. However, in order to exploit the vulnerability, hackers must convince their targets to reply to a sabotaged e-mail message.
Researchers working at Columbia University discovered the flaw, which requires a hacker to intercept and modify an encrypted message. If the recipient attempts to decrypt the message, he or she will be presented with a string of gibberish. If the recipient then replies to that message, saying, for instance, "what were you trying to say?" and quotes the string of gibberish, the attacker could use that response to decode the original message.
The paper's authors--Kahil Jallad, Jonathan Katz and Bruce Schneier--say that the so-called ciphertext attacks are "quite feasible" and are of "serious concern." They provide details on the threat in a paper that is scheduled to be presented at the Information Security Conference 2002 Proceedings later this year.
Pretty Good Privacy, or PGP, has been around for more than 10 years. It's been best known as a "freeware" program, meaning that it was available at no cost. Network Associates tried to make a go at selling PGP to corporations, but gave up on that idea earlier this year.
The flaw also affects OpenPGP, an open-source version of the encryption software.
By the way, have I mentioned that me101 shows me the link to the original story? :rolleyes:
News source: CNet News - PGP encryption defect uncovered