BBC Homepage World Service Education
BBC Homepagelow graphics version | feedback | help
BBC News Online
 You are in: Sci/Tech
Front Page 
UK Politics 
Talking Point 
In Depth 

Friday, 25 August, 2000, 17:13 GMT 18:13 UK
Bug threatens net privacy
keys for PGP
Hackers might be able to cut their own keys to scrambled messages
By BBC News Online internet reporter Mark Ward

An encryption programme that has become a byword for privacy has a bug that could let people read intercepted messages.

PGP, or Pretty Good Privacy, is a favourite of many computer professionals everywhere because it allows them to stop anyone but themselves reading their email.

Now a flaw has been found in PGP that lets malicious hackers tamper with its encryption system letting them read any messages they can intercept.

About 7 million people use PGP to encrypt email messages.

PGP uses a technique called Public Key Encryption to ensure email messages are only read by the person they are intended for.

This is a fairly esoteric attack. It's unlikely that anybody without specialized knowledge could
use it

Mike Wallach,

Every person that uses PGP has two keys, one public and one private, to protect messages.

The public key is used to lock a message and only the corresponding private key can unlock it.

Although called keys, the encryption/decryption parts of PGP are actually lengthy numbers.

They provide protection because it would take a computer many hundreds of years to crank through all the possible combinations of the two numbers.

A person's public key can be found by searching the servers which PGP has dotted around the world. Many people append their public key to the end of the messages they send so fellow users of PGP can encrypt any reply.

But now German Security expert Ralf Senderek has found that an add-on for PGP has compromised this encrypted path.

Through the keyhole

In 1997 PGP was extended so that other keys could be added to the public key allowing more than one person to read the message it was protecting.

PGP was given this ability to allow workers collaborating on projects to share messages. It could also allow security forces or businesses to intercept and eavesdrop on messages.

Permission for the extra keys to be added to the public key was supposed to rest with the owner of the corresponding private key.

However Mr Senderek has now found that additional keys can be added to a public key without the permission of the holder of the private key.

If the person adding the additional keys can intercept the messages they will be able to read them.

The bug affects versions 5.5.x to 6.5.3 of the domestic and international versions of the PGP software. PGP has been vulnerable in this way since 1997.

Phil Zimmerman, inventor of PGP and spokesman for the company, said it had taken swift action to ensure that the loophole could not be exploited.

He said initially PGP was ensuring that its main server filtered out the bogus keys and other servers around the world would be updated soon. Updates for PGP software will follow soon that will also filter out the bogus data.

So far there is no evidence that the flaw has been exploited for gain.

"This is a fairly esoteric attack. It's unlikely that anybody without specialized knowledge could use it," said Mike Wallach, president of PGP Security.

Search BBC News Online

Advanced search options
Launch console
See also:

15 Dec 99 | Business
Internet security boon
21 Jun 00 | Talking Point
Is net surveillance prying or policing?
28 Jun 00 | Sci/Tech
Powering up the Grid
02 Sep 99 | Americas
Internet encryption divides America
04 Sep 99 | Sci/Tech
Windows 'back door' security alert
26 Aug 99 | Sci/Tech
The self-destructing e-mail
Internet links:

The BBC is not responsible for the content of external internet sites

Links to more Sci/Tech stories are at the foot of the page.

E-mail this story to a friend

Links to more Sci/Tech stories