Pretty Good Piggy-backing Parsing vulnerabilities in PGP Desktop

نویسنده

  • Eric R. Verheul
چکیده

In this paper we demonstrate ‘piggy-back’ attacks on PGP Desktop 10 and its predecessors which can be exploited in targeted cybercrime attacks, i.e. targeting specific influential persons within an organization. We show that an attacker can add PGP messages (e.g. malicious files) into existing PGP messages signed by trusted sources in such a way that PGP Desktop still indicates that the result is signed while the decryption includes the additional messages. This could be exploited by an active attacker adding malicious content (e.g., executables or incriminating content such as pictures) into a PGP message: the result is still indicated authentic by PGP Desktop but the decrypted content will not only contain the legitimate message but also the malicious content.

برای دانلود رایگان متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

DRAFT MIME Security with PGP

Previous work on integrating PGP with MIME (including the since withdrawn application/pgp content type) has suffered from a number of problems, the most significant of which is the inability to recover signed message bodies without parsing data structures specific to PGP. This work makes use of the elegant solution proposed in RFC1847, which defines security multipart formats for MIME. The secu...

متن کامل

DRAFT MIME Security with PGP March , 1996

Previous work on integrating PGP with MIME (including the since withdrawn application/pgp content type) has suffered from a number of problems, the most significant of which is the inability to recover signed message bodies without parsing data structures specific to PGP. This work makes use of the elegant solution proposed in RFC1847, which defines security multipart formats for MIME. The secu...

متن کامل

A look at the PGP ecosystem through the key server data

PGP-based encryption systems use a network of key servers to share public keys. These key server operate on an add only basis, thus the data gives us access to PGP public keys from over 20 years of PGP usage. Analyzing this data allows searching for cryptographic weaknesses in large scale. I created a parser script that puts the raw cryptographic data of the PGP keys into a database. Doing this...

متن کامل

PGP in Constrained Wireless Devices

The market for Personal Digital Assistants (PDAs) is growing at a rapid pace. An increasing number of products, such as the PalmPilot, are adding wireless communications capabilities. PDA users are now able to send and receive email just as they would from their networked desktop machines. Because of the inherent insecurity of wireless environments, a system is needed for secure email communica...

متن کامل

PGP, quo vasisti?

Seit mehr als einem Jahrzehnt gilt das Programm PGP („Pretty Good Privacy“) als der Standard für E-Mailund Datei-Verschlüsselung, insbesondere unter Internet-Benutzern. Seit der ersten Version der Software hat sich jedoch vieles verändert. Im vergangenen Jahr äußerten die beiden Autoren ihre Sorge um die Zukunft von PGP. An dieser Stelle aus aktuellem Anlass ein Update, denn seit der Heise News...

متن کامل

ذخیره در منابع من

ذخیره در منابع من قبلا به منابع من ذحیره شده

{@ msg_add @}


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2010