Is electronic signature in jeopardy?

05-04-2001

Recently, a major Czech IT firm announced that two of its cryptologists had discovered a serious flaw in the OpenPGP standard, encryption technology widely used in electronic signature systems throughout the world.

PGP is a hybrid cryptosystem made up of four cryptographic elements and as such, is regarded as practically unbreakable. Vlastimil Klima and Tomas Rosa discovered a way to bypass the strong encryption and obtain the private signature key using a special programme. The attacker is then able to use someone else's electronic signature. They say the format is an example of using the right tools in the wrong way, as it takes about half a second for an ordinary office PC to calculate the stolen signature key.

Both the inventor of PGP, Philip Zimmerman, and the company which produces encryption software based on this format, Network Associates, have acknowledged that the system is vulnerable. However, they downplay the seriousness of the loophole, pointing out that it is only the signature that can be attacked, but encrypted data cannot be accessed or compromised in any way.

The affair has naturally created a ripple of interest among the public, as legislation on electronic signature has only recently been adopted in the Czech Republic. However, there has been a delay in implementing the law due to the lack of regulations to define the exact procedures and technology.

How serious is the flaw in reality and what practical impact could it have? And how will it affect the implementation of electronic signature in official documents in the Czech Republic? I asked Mr Klima and Mr Rosa themselves.

For the full description of the attack, see Electronic attack.