The Register: PGP, GPG Defeated
Aug 13, 2002, 17:00 (6 Talkback[s])
(Other stories by Thomas C Greene)
WEBINAR: On-demand Event
Replace Oracle with the NoSQL Engagement Database: Why and how leading companies are making the switch REGISTER >
[ Thanks to Jason
Greenwood for this link. ]
"OpenPGP and GnuPG are susceptible to a chosen-cyphertext attack
which would allow an adversary capable of intercepting an encrypted
message to use the intended recipient as an unwitting 'decryption
oracle', researchers Kahil Jallad, Jonathan Katz and Bruce Schneier
report in a recent paper.
"In a nutshell, Jane sends an encrypted e-mail message to Dick.
Unfortunately, Bill intercepts Jane's message and forwards her
message to Dick following a bit of tinkering. When Dick receives
it, he's puzzled by an incomprehensible message. If he replies to
Bill for clarification with the cyphertext in his reply, and if he
has his crypto program set on cruise control, Bill may well be able
to read Jane's message.
"Of course there are numerous complications which we'll get to
presently, but conceptually that's all there is to it. It's similar
to a man-in-the-middle attack, only Dick and Jane are not kept
under the illusion that they're communicating with each