CA-2001-02 Serious Vulnerability in PGP Encryption Feature

Original release date: June 3, 2001

A complete revision history is at the end of this file.

Systems Affected

  • All versions of PGP that support Encryption

Overview

A serious vulnerability exists in PGP that may prevent users from being able to access encrypted data.

I. Description

Background

PGP is the most commonly used encryption software on the internet. A feature of PGP is that it allows users to encrypt files, preventing unauthorized access to these files.

Symmetrical PGP encryption relies on the pass phrase mechanism, whereby a user uses a phrase as the key for encryption. The pass phrase is used when the data is first encrypted, and again when the user wishes to access the data.

Due to problems surrounding user memory, it is a somewhat common practice to store passwords and pass phrases somewhere they can be later retrieved by the user. To prevent unauthorized access to these passwords and pass phrases, encryption is sometimes used.

A flaw in the PGP encryption mechanism permits users to encrypt a file containing their pass phrase in case of forgetfulness. In those cases where the user does forget the pass phrase, however, they will be unable to access the encrypted data. This is clearly a severe problem with the design of PGP.

II. Impact

Users may be unable to access encrypted data or retrieve their passwords and pass phrases.

III. Solution

Since this issue is inherent in the structure of PGP, it is unclear whether a patch can be designed to solve this problem.

Solutions for Users

CUSERT is currently unaware of any real solutions to this problem, however a workaround exists. CUSERT advises all users of PGP to not encrypt the files containing their passwords and pass phrases. A better solution is to post this information somewhere it can be easily retrieved, such as a POST-IT note on your monitor.

For enhanced backup security, it is recommended that you also post your passwords and pass phrases on your website if you have one. This will protect you in case of decreased viscosity on your POST-ITs.

CERT/CC Contact Information

Email: [email protected]

Phone: +1 900-IMA-USER (24-hour hotline)

CUSERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Getting security information

CUSERT publications and other security information are available from our web site

https://www.bhodisoft.com/CUSERT/

Copyright 2001 Blake R. Swopes.


NO WARRANTY
Any material furnished by Computer User Stupidity Emergency Response Team/Coordination Center is furnished on an “as is” basis. CUSERT makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. CUSERT does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.


Revision History

June 3, 2001: Initial release.
December 25, 2012: Moved to new CMS.