OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Pavel Kankovsky (peakARGO.TROJA.MFF.CUNI.CZ)
Date: Mon Mar 19 2001 - 18:42:49 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The rumour goes around that a group of cryptologists working for a Czech
    company called ICZ has discovered a fatal problem in PGP as a side effect
    of their work on a special crypto device for the Czech government.

    If you understand Czech (or if you want to check all the keywords are
    there), you can read an article titled "Do you trust PGP? A mistake!"
    about the whole thing at http://www.swnet.cz/article.php?id=15096

    Allegedly, there is a vulnerability in OpenPGP format definition (sic)
    allowing an attacker to circumvent (sic) the encryption used to protect
    private signing keys and to recover those keys in real time (sic).

    To make the article sound a little more like a piece of FUD, they add
    that only higher and more demanding professional systems (sic), when
    implemented and used correctly, can be considered really secure.

    No details are available right now and the data included in the article
    seems to be partially self-contradicting (on the other hand, it can be
    just a result of standard journalistic post-production). They say there
    will be a press conference today (March 20) at 15:00 MET where ICZ people
    will shed more light on this issue.

    Personally, I think they have found some new obscure attack (perhaps some
    side-channel attack) that can be used when some bizzare conditions are
    met, or maybe they have reinvented the wheel, and have discovered a Trojan
    horse can steal private keys when PGP decrypts them in order to be able to
    use them.

    --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
    "Resistance is futile. Open your source code and prepare for assimilation."