PGP: Serious flaw found in secure email tech

[Brink]

A widely used method of encrypting emails has been found to suffer from a serious vulnerability, researchers say.

PGP (Pretty Good Privacy) is a data encryption method sometimes added to programs that send and receive email.

Details about the vulnerability were released by the Suddeutsche Zeitung newspaper prior to a scheduled embargo.
Previously, the Electronic Frontier Foundation (EFF) had advised immediately disabling email tools that automatically decrypted PGP.

The problem had been investigated by Sebastian Schinzel, at Munster University of Applied Sciences.

After the embargo on releasing details about the vulnerability was lifted, Mr Schinzel and colleagues published their research revealing how the attack on PGP emails worked.

A website explaining the issue has also now been made public.

Read more: PGP: 'Serious' flaw found in secure email tech - BBC News

 

[file3456]

I always thought that PGP wasn't that good of an encryption standard to use. Instead, I think perhaps a one time pad implantation should be used. The only issue is trying to pass the pad securely. Perhaps that part can be done with AES 256 or ECC or something. Perhaps even a cascade of ciphers like AES 256, ECC and Blowfish. But then again, the whole E-mail could use a cascade of ciphers as well. It's just that a one time pad is uncrackable providing it's used correctly and the pad is never reused.

Perhaps in the corporate environment a digital one time pad can be generated at the office using a type of synchronous USD fob.

 

[Alejandro85]

I always thought that PGP wasn't that good of an encryption standard to use. Instead, I think perhaps a one time pad implantation should be used. The only issue is trying to pass the pad securely. Perhaps that part can be done with AES 256 or ECC or something. Perhaps even a cascade of ciphers like AES 256, ECC and Blowfish. But then again, the whole E-mail could use a cascade of ciphers as well. It's just that a one time pad is uncrackable providing it's used correctly and the pad is never reused.

Most vulnerabilities found aren't actually problems in PGP, but in software rendering the decrypted emails instead. PGP is still the best possible choice.

One time pad is great and theoretically uncrackeable, but has the problem that it needs as much random key material as plain text, and you must ensure confidenciality of the key. AES is a symetric algorithm, so you also need to ensure key protection by other means, that's what makes them impractical.

PGP uses those but in addition uses RSA, an asymetric key encryption, that's what makes really possible to have encrypted email without worrying about key distribution. Each one as a private key that's never sent to anyone and a public key that's freely distributed, and that's all.
Not coincidentally, that's the very same kind of cryptography that powers TLS and therefore HTTPS, and what makes secure browsing possible without having to distribute private things, which makes it practical to use in real life.