InfoWorld: Pretty Good Privacy flaw reportedAug 25, 2000, 06:44 (3 Talkback[s])
(Other stories by Elinor Abreu)
"The problem arises from a feature that Network Associates added to PGP, which stands for Pretty Good Privacy. The feature allows for third-party key recovery, also known as key escrow."
"The flaw, discovered by Ralf Senderek and reported Thursday, highlights the technical difficulties in creating key-recovery systems, said Bruce Schneier, CTO of Counterpane Internet Security and author of Applied Cryptography. Schneier, and a group of other cryptographers predicted the exact type of problem that PGP now faces in a paper they wrote in 1997, when the U.S. government was pushing for key escrow, raising the ire of civil libertarians and many software firms in the process."
"When you add key escrow, or key recovery, into a system, you're adding complexity, and by its very nature, it's going to be harder to build a secure system," Schneier says. "Now there are more things to get right and more chances of getting things wrong. This is an example of that."
"Under PGP, each person has a public key and a private key, or codes that are used to encrypt and decrypt messages. A person sending an e-mail message can use a recipient's public key to encrypt messages that only the recipient can decrypt, with their private key. Key-recovery systems allow a third party, usually a corporation or the government, to access encrypted data in the event that an employee leaves the company, or for criminal investigations."