PDA

View Full Version : PGP compromised?



Blacksheep
06-02-2001, 12:02 PM
Is there any evidence that PGP, open source or other, has been compromised by SORM, Carnivore, Echelon, or other government spy agencies?

BS

Otto
06-05-2001, 03:40 PM
Originally posted by Blacksheep
Is there any evidence that PGP, open source or other, has been compromised by SORM, Carnivore, Echelon, or other government spy agencies?

BS

The above mentioned programs are mostly aimed at intercepting and accumulating the data, not on compromising encrypted information.

I am not aware of PGP being exploited by any intelligence agencies.

johnny
06-07-2001, 06:22 PM
By two Czech researchers earlier this year. Here is an excerpt from their announcement:

"The attack was successfully verified and demonstrated on PGPTM(*) version 7.0.* using AES and DH/DSS algorithms, which are deservedly being considered as highly secure.

"This serious bug is caused by incorrect implementation of the above-mentioned strong cryptographic techniques. The private signature key is the basic and the most sensitive information in the whole system. The user is using it for digital signature. In all systems, including OpenPGP, it is therefore protected by a strong cipher. AES, one of the latest strong algorithms, has been used in the attacked system. However, the protection appears to be illusory.

"The authors proved that attackers do not need to attack the strong cipher itself. They can simply bypass it as well as the secret user's passphrase. A slight modification of the private key file followed by capturing a signed message is enough to break the private key. These tasks can be performed without knowledge of the user's passphrase. After that, a special program can be run on any office PC. Based on the captured message, the program is able to calculate the user's private key in half a second. The attacker can then sign any messages instead of the attacked user. Despite of very quick calculation, the program is based on a special cryptographic know-how..."

Here is a link to the full article:

http://www.i.cz/en/onas/tisk4.html

I'd be interested in knowledgeable comment here once you've read the article, anyone.

Johnny

[Edited by johnny on 06-07-200* at **:*0 PM]

Blacksheep
06-09-2001, 11:49 AM
http://www.pcworld.com/news/article/0,aid,4522*,00.asp

This minor flaw has been fixed in NAI PGP. Use the best Internet search engine

http://www.google.com/advanced_search

and you can find lots of info about this subject, or any other subject.:-)

MrByte
06-09-2001, 01:33 PM
Yes, I wouldn't call this bug very important. Basically, if an adversary got access to your private keyfile, which almost always means that he got access to your PC, you're toasted anyway. Things that are much worse can happen.

MrByte
06-10-2001, 10:11 AM
Originally posted by moseley_international
While I cannot confirm or deny these rumours with *00% certainty, I really doubt that either is true.


You? You can't confirm or deny? Well ... if you're quoting someone, it's usually a good idea to mention the author. This paragraph was taken from the PGP Attack FAQ written by infiNity, available here:

http://www.stack.nl/~galactus/remailers/attack-faq.html

or

http://20*.86.24*.205/pgp-attk.txt

Blacksheep
06-10-2001, 02:26 PM
From: http://www.m-w.com

Main Entry: pla·gia·rize
Pronunciation: 'plA-j&-"rIz also -jE-&-
Function: verb
Inflected Form(s): -rized; -riz·ing
Etymology: plagiary
Date: *7*6
transitive senses : to steal and pass off (the ideas or words of another) as one's own : use (another's production) without ******ing the source
intransitive senses : to commit literary theft : present as new and original an idea or product derived from an existing source
- pla·gia·riz·er noun

[Edited by Blacksheep on 06-*0-200* at 06:*4 PM]