Researchers say they’ve found a security flaw in the process by which an older version of Pretty Good Privacy (PGP) encryption software reads random numbers, making the cryptographic keys potentially insecure.
The flaw was discovered in the PGP 5.0 code base and is specific to Linux and OpenBSD command-line versions.
According to security researchers, PGP 5.0, created by PGP Inc., generates public/private key pairs with no or only a small amount of randomness under certain circumstances. PGP must gather random numbers from reliable sources so that the keys cannot be predicted by attackers. Versions 2.x and 6.5 of PGP aren’t affected and nor are PGP versions ported to other platforms.
The problem was discovered by Germano Caronni, a researcher in the security group at Palo Alto-Calif.-based Sun Microsystems Inc., who said he doesn’t speak on behalf of his company. The PGP flaw was verified by Thomas Roessler, a student at the University of Bonn, and Marcel Waldvogel, an associate professor at Washington University in St. Louis, Mo. Caronni and Roessler then posted the issue to the widely distributed BUGTRAQ security list.
According to the advisory, the problem is most serious when users start from scratch with a newly installed version of PGP 5.0 on a Unix system with a specific type of randomizing that creates key pairs using the command line only, with no interaction.
Caronni noted in the advisory that instead of correctly reading random data generated by the dev/random service, PGP 5.0i instead reads a stream of bytes with the value “1.” Caronni and Roessler suggested that PGP 5.0 overestimates the randomness of the data it is being fed by what’s called a “dev/random device” when the software creates secure keys.
They noted that this isn’t a flaw in the random service, but in the PGP 5.0 implementation.
“If I, as a user, wanted to send someone a message using PGP, I would first want to confirm that they were not generating their key with the bad version, otherwise the crypto isn’t very useful,” said PGP user Lenny Foner, a Somerville, Mass.-based cryptography and public policy researcher. “And there is no easy and secure way to do that except to call them on the phone and ask them how they generated their key.”
Network Associates Inc., which develops and markets newer versions of PGP, including the recently released PGP 7.0, wasn’t available to comment on the flaw by press time.
Caronni advised that users who generated their key noninteractively on Linux or OpenBSD should consider revoking it and create a new key using a reliable version of PGP.
Under the public/private key cryptography system, each user generates a public key for others to obtain when they want to send them an encrypted message. User A, for example, obtains user B’s public key, encrypts a message and sends it. That message can only be decrypted with user B’s private key.
Caronni said he was astonished to find the flaw in source code that had been publicly available for over a year. Some experts consider software such as PGP 5.0 more secure than proprietary programs because it is in the public domain and can be reviewed by the technical community. “That is a good beginning point, but people have to read it,” Caronni said.
He also said the amount of randomness gathered from other sources should still be sufficient for most applications. He urged users to continue using PGP to secure their data and noted that most people generate their keys using Windows versions of PGP or PGP 6.5 that aren’t affected by the flaw.
