While man-in-the-middle attacks are nothing new, several cryptography experts have recently demonstrated a weakness in the popular e-mail encryption program PGP. The experts worked with a graduate student to demonstrate an attack which enables an attacker to decode an encrypted mail message if the victim falls for a simple social-engineering ploy.
The attack would begin with an encrypted message sent by person A intended for person B, but instead the message is intercepted by person C. Person C then launches a chosen cipher text attack by sending a known encrypted message to person B. If person B has his e-mail program set to automatically decrypt the message or decides to decrypt it anyway, he will see only a garbled message. If that person then adds a reply, and includes part of the garbled message, the attacker can then decipher the required key to decrypt the original message from person A.
The attack was tested against two of the more popular PGP implementations, PGP 2.6.2 and GnuPG, and was found to be 100% effective if file compression was not enabled. Both programs have the ability to compress data by default before encrypting it, which can thwart the attack. A paper was published by Bruce Schneier, chief technology officer of Counterpane Internet Security Inc.; Jonathan Katz, an assistant professor of computer science at the University of Maryland; and Kahil Jallad, a graduate student working with Katz at the University of Maryland. It was hoped that the disclosure would prompt changes in the open-source software and commercial versions to enhance its ability to thwart attacks, and to educate users to look for chosen cipher text attacks in general.
PGP is the world?s best known e-mail encryption software and has been a favorite since Phil Zimmermann first invented it in 1991; it has become the most widely used e-mail encryption software. While numerous attacks have been tried, none have yet succeeded in breaking the algorithm. With the power of computers growing exponentially, cracking this or even more modern algorithms is only a matter of time.
What can be done to increase the time required to break an encryption algorithm?
What is often the trade-off when using more complex algorithms?
Phil Zimmermann had to face considerable resistance from the government before being allowed to distribute PGP. What were their concerns, and why did they finally allow its eventual release?
Think of other social engineering schemes that might be employed in an effort to intercept encrypted message