17 comments

[ 4.5 ms ] story [ 47.7 ms ] thread
Does anyone know if this is true? Is it a side-channel attack? The translated English is pretty hard to make sense of.
No, it's not true. Some minor news outlet misunderstanding things.
Or some major politicians :)
dhoe is correct. If this were even the slightest bit true it would create a global panic, even if it was only a vulnerability in PGP's implementation.
Note that "depending on the type and quality of the encryption" can mean "if you use 512-bit keys" (or e.g. use weak entropy to generate the keys). Indeed, that's the likely explanation - if Germany really figured out how to decrypt best-practice PGP, they wouldn't be blabbing about it.

(Also note that the Subject: line is unencrypted by design.)

Most likely they just don't know what they're talking about. This is a government answer to a question posed by parliament, which means that it probably went through a lot of hands, most of which don't even know what PGP stands for, let alone what the technology does.

The statement itself is very vague anyway, saying that "it depends on the strength and the quality of the encryption". Which most likely translates to: they cannot actually break PGP, but they have some tricks to get key material via other means, and then obviously they can decrypt.

In addition to weak keys, I would not be surprised if most of the time they actually just steal the keys off the subject's system (and install keyloggers for catching the passphrase). The "Bundestrojaner" (federal trojan) has been widely reported and even if the police no longer use that particular software, I'm sure the secret service have their own, similar tools.

The other thing is that often, knowing who the subject is talking to and when is probably half the battle. PGP doesn't intrinsically protect against that.

Agreed. No matter how complex they key, phyiscal security can nearly always be broken. From mysterious breaks ins to _we have ways of making you talk_
Maybe they mean PHP.
"Can decrypt" is a phrase that gives many interpretations

For example, SSH, can you do a MITM? Can you decode a pcap dump? Only for a specific crypt?

Same thing with a PGP, if you have resources you can certainly throw several machines at a dictionary attack and can come with a decryption for most cases (after a long time).

> "Can decrypt" is a phrase that gives many interpretations

It's also not the phrase that Google translate gives me - I get "at least partially and / or evaluate", which could refer to lots of things, eg. traffic analysis.

Also... anybody with a copy of PGP (or GPG) can decrypt PGP'ed messages. PGP would be rather pointless otherwise.

Edit: Also there's a pretty good chance it's just plain old fashioned bollocks.

The answer given is so vague and devoid of meaning they could just as well have answered with a "Some times may be". I don't see any reason to be concerned about the security of PGP.
I just had a look at the original post (I'm a native speaker). It said that the government claims to be able, in principle, to partially decrypt PGP and Secure Shell. This is a vague enough statement.

Further, the German government has an incredibly poor track record when it comes to IT. Recent highlights include a laughable "national trojan" that cost millions of tax payer money and didn't quite live up to (leaked) specifications. Further, the lack of knowledge about all matters IT of our elected leaders are frequently being ridiculed. There are interviews of ministers floating around who couldn't say what the Internet or a web browser was.

My best bet is that the spokesperson simply had no clue what PGP is and gave an evasive answer.

Does now every crap get voted to the top on HackerNews?
Understand that Western governments have had legal access to rubber-hose cryptography for some time. Inasmuch as a person may be beaten with a rubber hose until the passphrase is revealed, I've no doubt they are able to break PGP.
I think the title sounds much to factual for such a vague statement. They that they are in principle able to decrypt such encryption, that can mean anything from "we can if the key is weak" over "there is a law which permits us to install a backdoor on your pc" to "we can beat you up until you tell us your password".

And it is in the best interest of german intelligence agencies to make such a vague statement. If they would admit that they are unable to break pgp, that would be taken as a software recommendation by everyone who is afraid of them.

The NSA have been saying for years that PGP was just that - "Pretty Good"