Researchers at the Czech company ICZ have uncovered a serious vulnerability in OpenPGP. According to the company's findings, an attacker can make a slight modification to the user's private key file and then capture a message signed with that modified key file to discover a user's private keys. By comparing the captured message and the modified key file, the attacker can bypass the strong encryption that OpenPGP uses, revealing the private key without using a passphrase.
In response to a news report by News.com, inventor Phil Zimmerman said, "This is not a practical attack. Your adversary has to be able to modify your private key. That means they have to have access to your computer. Once an attacker has access, there are many other ways they can monitor the system. That makes the attack largely irrelevant."
ICZ points out that although gaining access to a user's private key can be difficult, workstations routinely transfer private keys for a variety of reasons. In these situations, attackers with network access can capture these keys as they travel back and forth. ICZ went on to point out that network administrators can also capture user's private keys.
ICZ's report states that although its findings pertain to its research with PGP, the company believes that similar vulnerabilities might exist in other encryption products that use asymmetric algorithms, such as technology based on elliptic curves.
Zimmerman and Network Associates (owners of the PGP trademark) both were unable to get additional details from ICZ regarding the vulnerability. However, OpenPGP was able to recreate the attack based on details provided in ICZ's report. No information is available about when this vulnerability might be corrected. The current version of OpenPGP for Windows platforms is 7.0.3.