The Register: PGP, GPG Defeated

[ Thanks to Jason Greenwood for this link. ]

"OpenPGP and GnuPG are susceptible to a chosen-cyphertext attack which would allow an adversary capable of intercepting an encrypted message to use the intended recipient as an unwitting 'decryption oracle', researchers Kahil Jallad, Jonathan Katz and Bruce Schneier report in a recent paper.

"In a nutshell, Jane sends an encrypted e-mail message to Dick. Unfortunately, Bill intercepts Jane's message and forwards her message to Dick following a bit of tinkering. When Dick receives it, he's puzzled by an incomprehensible message. If he replies to Bill for clarification with the cyphertext in his reply, and if he has his crypto program set on cruise control, Bill may well be able to read Jane's message.

"Of course there are numerous complications which we'll get to presently, but conceptually that's all there is to it. It's similar to a man-in-the-middle attack, only Dick and Jane are not kept under the illusion that they're communicating with each other..."

Complete Story

Related Stories:

• PCWorld.com: What Does the Future Hold for PGP?(Jul 24, 2002)
• GnuPG 1.0.7 Released (May 08, 2002)
• MandrakeSecure.net: Using GnuPG(Apr 23, 2002)