VULHUB ™

PGP and GnuPG are two popular implementations of the OpenPGP encryption specification. A weakness in the OpenPGP specification, as implemented by both products, may allow an attacker to learn the plaintext contents of encrypted communications. While some degree of user interaction is required, the attack is very plausible against non-technical end users. The weakness is based on a form of chosen ciphertext attack. A user of the vulnerable software must be enticed into decrypting a modified version of a valid message, which as been prepared by the attacker. The user must then disclose the results of this decryption to the attack, possibly as the results of social engineering. This information will allow the attacker to recover a portion of the original message. It is not believed to be possible to exploit this weakness against message content which is compressed during the OpenPGP encryption process. Modified data will generally result in an error in the decompression process, which...

PGP and GnuPG are two popular implementations of the OpenPGP encryption specification. A weakness in the OpenPGP specification, as implemented by both products, may allow an attacker to learn the plaintext contents of encrypted communications. While some degree of user interaction is required, the attack is very plausible against non-technical end users. The weakness is based on a form of chosen ciphertext attack. A user of the vulnerable software must be enticed into decrypting a modified version of a valid message, which as been prepared by the attacker. The user must then disclose the results of this decryption to the attack, possibly as the results of social engineering. This information will allow the attacker to recover a portion of the original message. It is not believed to be possible to exploit this weakness against message content which is compressed during the OpenPGP encryption process. Modified data will generally result in an error in the decompression process, which will be reported to the user under attack.