August 12, 2002 PGP Attack Leaves Mail Vulnerable By Dennis Fisher Two cryptography experts and a graduate student have identified an attack on the widely deployed PGP e-mail encryption software that enables an attacker to decode an encrypted mail message. The attack itself is not new, but it had been thought to be impractical. However, a new paper to be published today by Bruce Schneier, chief technology officer of Counterpane Internet Security Inc., and a renowned cryptographer; Jonathan Katz, an assistant professor of computer science at the University of Maryland; and Kahil Jallad, a graduate student working with Katz, shows that the attack can be accomplished. The approach, know as a "chosen ciphertext" attack, requires that an attacker be able to eavesdrop on a channel through which two people—Alice and Bob in cryptographic parlance—are sending encrypted communications. Alice sends Bob an encrypted message, which a third party, dubbed Eve, intercepts. Eve can't read the message, so she sends Bob a specially formed message. Bob decrypts Eve's message, but finds only gibberish. If Bob then sends Eve's message back to her, Eve can recover the original message Alice sent Bob through careful mathematical analysis of Bob's reply. The authors tested their attack on PGP 2.6.2 and Gnu Privacy Guard (GnuPG), an open-source version. There are new versions of both programs available now that defend against this attack. Schneier and Katz wrote a similar paper in 2000 that laid out the basics of this particular attack in theoretical terms. "It's a real attack. It does require some social engineering on Eve's part, but if Bob isn't security savvy, it is not unreasonable to think that he will fall for it," said Schneier, author of two cryptographic algorithms and the book "Applied Cryptography," widely regarded as one of the seminal works in computer cryptography. The attack is somewhat less effective against compressed messages, which is a common format for messages sent by many e-mail encryption programs, including PGP. "The attack requires a special set of circumstances; however, any attack that can trick a user to decrypt a message must be taken seriously," said Jon Callas, a developer of PGP who is also principal author of the Internet Engineering Task Force's OpenPGP standardization and specification enhancement process. PGP is by far the world's most well-known e-mail encryption software and is a favorite of privacy and security hobbyists as well as federal agencies. The application and its creator, Phil Zimmermann, have attained cult status in the Internet community since Zimmermann first uploaded PGP to the Internet in 1991. It has been the target of innumerable attacks in the intervening years, but the encryption algorithm itself remains unbroken. However, Zimmermann never believed it would remain so forever. "Anyone who thinks they have devised an unbreakable encryption scheme either is an incredibly rare genius or is naive and inexperienced," he wrote in the original PGP User's Guide in 1991. Related stories: PGP Flaw Affects Microsoft Outlook