Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Pavel Kankovsky (peakARGO.TROJA.MFF.CUNI.CZ)
Date: Mon Mar 19 2001 - 18:42:49 CST
The rumour goes around that a group of cryptologists working for a Czech
company called ICZ has discovered a fatal problem in PGP as a side effect
of their work on a special crypto device for the Czech government.
If you understand Czech (or if you want to check all the keywords are
there), you can read an article titled "Do you trust PGP? A mistake!"
about the whole thing at http://www.swnet.cz/article.php?id=15096
Allegedly, there is a vulnerability in OpenPGP format definition (sic)
allowing an attacker to circumvent (sic) the encryption used to protect
private signing keys and to recover those keys in real time (sic).
To make the article sound a little more like a piece of FUD, they add
that only higher and more demanding professional systems (sic), when
implemented and used correctly, can be considered really secure.
No details are available right now and the data included in the article
seems to be partially self-contradicting (on the other hand, it can be
just a result of standard journalistic post-production). They say there
will be a press conference today (March 20) at 15:00 MET where ICZ people
will shed more light on this issue.
Personally, I think they have found some new obscure attack (perhaps some
side-channel attack) that can be used when some bizzare conditions are
met, or maybe they have reinvented the wheel, and have discovered a Trojan
horse can steal private keys when PGP decrypts them in order to be able to
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."