“The problem arises from a feature that Network Associates added
to PGP, which stands for Pretty Good Privacy. The feature allows
for third-party key recovery, also known as key escrow.”
“The flaw, discovered by Ralf Senderek and reported Thursday,
highlights the technical difficulties in creating key-recovery
systems, said Bruce Schneier, CTO of Counterpane Internet Security
and author of Applied Cryptography. Schneier, and a group of
other cryptographers predicted the exact type of problem that PGP
now faces in a paper they wrote in 1997, when the U.S. government
was pushing for key escrow, raising the ire of civil libertarians
and many software firms in the process.“
“When you add key escrow, or key recovery, into a system, you’re
adding complexity, and by its very nature, it’s going to be harder
to build a secure system,” Schneier says. “Now there are more
things to get right and more chances of getting things wrong. This
is an example of that.”
“Under PGP, each person has a public key and a private key, or
codes that are used to encrypt and decrypt messages. A person
sending an e-mail message can use a recipient’s public key to
encrypt messages that only the recipient can decrypt, with their
private key. Key-recovery systems allow a third party, usually a
corporation or the government, to access encrypted data in the
event that an employee leaves the company, or for criminal
investigations.”