The flaw lies in the public and private key system used by PGP. It allows a hacker to alter the victim’s PGP public certificate and read any message encrypted with the altered certificate. The certificate is software that associates the user with the pair of keys and is used for signing, encrypting and decrypting messages. An attacker can add an additional key to the user’s public key certificate to be used as an additional decryption key.
Mike Wallach, president of PGP Security at Network Associates said: “To our knowledge, no customer data has been compromised.” The company emphasised that exploiting the flaw would be difficult and it criticised Senderek for publishing the details on-line without first approaching Network Associates, describing his action as “irresponsible.”
The flaw was not previously detected because until this year, it was illegal in the US to publish encryption source code on-line. Senderek and others studied the source code when Network Associates posted it on-line for peer review.