Original release date: June 3, 2001
A complete revision history is at the end of this file.
A serious vulnerability exists in PGP that may prevent users from being able to access encrypted data.
PGP is the most commonly used encryption software on the internet. A feature of PGP is that it allows users to encrypt files, preventing unauthorized access to these files.
Symmetrical PGP encryption relies on the pass phrase mechanism, whereby a user uses a phrase as the key for encryption. The pass phrase is used when the data is first encrypted, and again when the user wishes to access the data.
Due to problems surrounding user memory, it is a somewhat common practice to store passwords and pass phrases somewhere they can be later retrieved by the user. To prevent unauthorized access to these passwords and pass phrases, encryption is sometimes used.
A flaw in the PGP encryption mechanism permits users to encrypt a file containing their pass phrase in case of forgetfulness. In those cases where the user does forget the pass phrase, however, they will be unable to access the encrypted data. This is clearly a severe problem with the design of PGP.
Users may be unable to access encrypted data or retrieve their passwords and pass phrases.
Since this issue is inherent in the structure of PGP, it is unclear whether a patch can be designed to solve this problem.
CUSERT is currently unaware of any real solutions to this problem, however a workaround exists. CUSERT advises all users of PGP to not encrypt the files containing their passwords and pass phrases. A better solution is to post this information somewhere it can be easily retrieved, such as a POST-IT note on your monitor.
For enhanced backup security, it is recommended that you also post your passwords and pass phrases on your website if you have one. This will protect you in case of decreased viscosity on your POST-ITs.
CUSERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
Copyright 2001 Blake R. Swopes.