Software Flaw Compromises E-Signatures

N E W  Y O R K, March 23 -- Security experts expressed skepticism about thegravity of a flaw in the most popular software for sendingencrypted e-mail.

The vulnerability in Pretty Good Privacy, disclosed by two Czechcryptologists on Tuesday, could allow a hacker to use someoneelse's electronic signature to send messages. That, in essence, could mean the forging of signaturesincreasingly used to authorize such things as financialtransactions.

Software Creator Questions Threat

Philip Zimmermann, the creator of PGP, confirmed the flawexists, but on Wednesday questioned how useful it would be toattackers.

A hacker would first have to bypass security firewalls and gainaccess to the recipient's hard drive. If a hacker can get that far,Zimmermann said, the user has greater worries, including theability for someone to install software to monitor keystrokes likepasswords. The Czech cryptologists, working for Prague-based ICZ, announcedtheir discovery on Tuesday. The company said the discovery happenedwhile conducting research for the Czech National SecurityAuthority.

Program Could Gain Popularity

Although fewer than 10 million people worldwide currently usePGP, the use of e-signatures could rise now that the U.S.government gives legal standing to documents "signed" online. Ane-signature law took effect Oct. 1, although it did not detailpermissible methods.

PGP uses a dual-key mechanism in which one key locks a messageand a different key unlocks it.

People who want to receive scrambled mail distribute a publickey that locks messages. A sender uses a person's public key toencrypt the message, which can be unlocked only by the private keyof the recipient.

A separate set of keys is used for authentication, which ensuresa message actually comes from the sender and not an impostor. Italso helps verify that the message isn't altered in transit. To access either of the private keys, the e-mail recipientnormally has to type in a password.