A flaw has been discovered in popular #encryption software used by many operating systems, including Linux, Windows & macOS X.
http://thehackernews.com/2017/07/gnupg-libgcrypt-rsa-encryption.html
A flaw has been discovered in popular #encryption software used by many operating systems, including Linux, Windows…
Published
No, encryption, if done properly, is mathematically proven to be unbreakable unless computing power increases manifold. This is simply an improperly (as in “there is a bug”) done encryption.
This is an interesting attack and the folks that created this attack are clearly clever. Having said that, one shouldn’t be storing one’s private key on a multiuser system. Anyone with root access (legit or otherwise) already has access to your formerly private key.
So, is this:
1. An attack on static encrypted messages, at rest?
2. An attack on static private keys, at rest, bypassing passphrase protection?
3. An attack on the encryption process itself, whilst it is running?
The article doesn’t make this clear, but the advice to update the library suggests the third case.
This substantially reduces the attack surface, as the attacker would require system access while a user is encrypting or decrypting messages. Still a problem, most especially on VMs.
But given a scope-of-issue basis, it’s the least bad of the three.