PGP Encryption Flaw Discovered in Email Security | Globalnet Blog (2024)
A German newspaper has released details of a security vulnerability, discovered by researchers at Munster University of Applied Sciences, in PGP (Pretty Good Privacy) data encryption.
What Is PGP?
PGP (Pretty Good Privacy) is an encryption program that is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and disk partitions, and to increase the security of e-mail communications. As well as being used to encrypt and decrypt email, PGP is also used to sign messages so that the receiver can verify both the identity of the sender and the integrity of the content. PGP works using a private key that is kept secret, and a public key that the sender and receiver share.
The technology is also known by the name of GPG (Gnu Privacy Guard or GnuPG), and is a compatible GPL-licensed alternative.
The flaw, which was first thought by some security experts to affected the core protocol of PGP (which would make all uses of the encryption method, including file encryption, vulnerable), is now believed to be related to any email programs that don’t check for decryption errors properly before following links in emails that include HTML code i.e. email programs that have been designed without appropriate safeguards.
‘Efail’ Attacks
The flaw leaves this system of encryption open to what have been called ‘efail’ attacks. This involves attackers trying to gain access to encrypted emails (for example by eavesdropping on network traffic), and compromising email accounts, email servers, backup systems or client computers. The idea is to reveal the plaintext of encrypted emails (in the OpenPGP and S/MIME standards).
This type of attack can be carried out by direct exfiltration, where vulnerabilities in Apple Mail, iOS Mail and Mozilla Thunderbird can be abused to directly exfiltrate the plaintext of encrypted emails, or by a CBC/CFB gadget. This is where vulnerabilities in the specification of OpenPGP and S/MIME are abused to exfiltrate the plaintext.
What Could Happen?
The main fear appears to be that the vulnerabilities could be used to decrypt stored, encrypted emails that have been sent in the past (if an attacker can gain access). It is thought that the vulnerabilities could also create a channel for sneaking personal data or commercial data and business secrets off devices as well as for decrypting messages.
What Does This Mean For Your Business?
It is frustrating for businesses to learn that the email programs they may be using, and a method of encryption, supposed to make things more secure, could actually be providin a route for criminals to steal data and secrets.
The advice from those familiar with the details of the flaw is that users of PGP email can disable HTML in their mail programs, thereby keeping them safe from attacks based on this particular vulnerability. Also, users can choose to decrypt emails with PGP decryption tools that are separate from email programs.
More detailed information and advice concerning the flaw can be found here: https://efail.de/#i-have
Globalnet IT Innovations offer a range of managed IT services and on-demand IT services,including secure Outlook 365 email. Call us on0203 005 9650 to speak to one of our ITconsultants and discover how we can help you reach your business goals.
Though PGP encryption cannot be hacked, OpenPGP does have a vulnerability that disrupts PGP encrypted messages when exploited. The vulnerability permits public keys stored in Synchronising Key Servers (SKS) to undergo unlimited alterations by cybercriminals.
To the best of publicly available information, there is no known method which will allow a person or group to break PGP encryption by cryptographic, or computational means.
Yes, PGP encryption is still used and is considered an industry standard for protecting sensitive information. Both commercial and free, open-source implementations of PGP are available. Commercial solutions offer technical support that may be lacking in freeware tools.
Untrusted search path vulnerability in PGP Desktop 9.9. 0 Build 397, 9.10. x, 10.0. 0 Build 2732, and probably other versions allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse tsp.
Virtru End-to-End Encryption –Better than Pretty Good
Virtru overcomes inherent weaknesses in PGP and S/MIME and represents the next generation of end-to-end encryption. “Virtru offers encryption as secure as PGP but makes it easy enough that our end users, customers and partners can use it regularly.”
In July 2022 the public npm registry migrated away from the existing PGP signatures to a new ECDSA signatures for signature verification. PGP based registry signatures will be deprecated on April 25th 2023.
Modern alternative: nacl/box and nacl/secretbox. These are general-purpose replacements for encrypting any kind of data. They support public-key and secret-key encryption, respectively, and both use secure modern modes and ciphers.
Pretty Good Privacy (PGP) is a security program used to decrypt and encrypt email and authenticate email messages through digital signatures and file encryption.
In order to manually do Gmail PGP encryption for your emails, you'll need to download a PGP or GPG software program to your local device. If you have Windows as your operating system, a good option is GPG4Win.
PGP makes use of four types of keys: one-time session symmetric keys, public keys, private keys, and passphrase-based symmetric keys. Three separate requirements can be identified with respect to these keys: 1. a means of generating unpredictable session keys is needed.
TLS is the most common encryption protocol used today, but it still has limitations. To ensure your company's email is secure and encrypted from the start, use STARTTLS with encryption algorithms such as PGP or S/MIME.
At its core, PGP remains cryptographically sound, and using a few bad implementations to claim that “PGP has a serious flaw” is both untrue and disingenuous.
PGP does a mediocre job of signing things, a relatively poor job of encrypting them with passwords, and a pretty bad job of encrypting them with public keys. PGP is not an especially good way to securely transfer a file. It's a clunky way to sign packages.
Lack of anonymity: PGP will encrypt messages that users send, but it does not anonymize them. As a result, senders and recipients of emails sent through a PGP solution can be traced. The subject line of the message is also not encrypted, so avoid including sensitive data or information.
Encryption requires advanced hardware and software to be implemented, and this can be expensive. Furthermore, encryption hardware and software are often complicated and may require outside consultation or expertise to properly utilize, resulting in additional costs for businesses.
One of the basic criticisms of GPG is around it's use of long term keys and lack of forward secrecy. This is actually a feature not a bug. One can be certain that a GPG key will decrypt a data that has been encrypted with it in the future.
Introduction: My name is Pres. Carey Rath, I am a faithful, funny, vast, joyous, lively, brave, glamorous person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
