Page 158 - StudyBook.pdf
P. 158

142    Chapter 3 • Communication Security: Remote Access and Messaging

                 When a person receives a message encrypted with PGP, they need to decrypt it
             before it can be read. Upon opening the message and clicking on the Decrypt
             PGP Message button, a dialog box appears asking for a password.This is the pass-
             word that the user chose when setting up PGP on their machine.The user needs
             to have the public key from the person who sent the e-mail or the message cannot
             be deciphered.This protects the e-mail from being read by an unauthorized person.
             After the correct password is entered, the message and any file attachments are
             restored to their original format.
                 PGP is a well-respected method of encrypting e-mail, allowing users to send,
             encrypt, decrypt, and digitally sign any messages sent or received, regardless of
             whether they pass through an ISP or corporate mail server.A drawback to the
             technology has always been usability and consistent support from mail client ven-
             dors who do not always incorporate the features into their latest versions of soft-
             ware (particularly among the free-ware vendors).To this end, a free PGP-like
             command-line tool based on the RFC 2440 standard was developed by the Free
             Software Foundation: GnuPG.This freeware PGP replacement is fully supported by
             Mozilla’s Enigmail, while PGP is currently not. For many other mail clients, like
             the latest version of Outlook and Windows Mail, encryption of mail is supported
             by using a public key certificate. Many such certificates are already pre-loaded on
             an OS’s local Certificate store and can be used “out of the box” with these mail
             clients for encryption. Optionally, a digital certificate can be purchased from a
             vendor and imported into the clients with very little effort.


                PGP is Not Impervious
            Damage & Defense…  ciphertext attack, a hacker creates a message and sends it to a targeted
                PGP can be exploited through the use of chosen ciphertext. In a chosen


                user with the expectation that this user will send the message to yet
                other users. When the targeted user distributes the message in an
                encrypted form, the hacker listens to the transmitted messages and fig-
                ures out the key from the newly created ciphertext.
                     The vulnerability in PGP works in the same way. A nonsense message
                is sent to a targeted party, with the expectation that the targeted party
                will respond to the attacker’s message. Once the target responds to the
                message, the attacker can discover the key used to encrypt messages that
                have been sent to and from the targeted party.
                     Most PGP distributors are aware of this type of attack and have
                released newer versions that account for this flaw.






          www.syngress.com
   153   154   155   156   157   158   159   160   161   162   163