Video Screencast Help

PGP broken?

Created: 22 Mar 2011 | 5 comments


'In September 2007 Karim became a graduate IT trainee with BA. Police described his computer encryption as the most sophisticated they had seen . . . . It took nine months to crack Karim's home computer. . . .'

Comments 5 CommentsJump to latest comment

Tom Mc's picture

I scanned the article rather quickly, but don't see anything about what encryption was used.  Even if something as secure as PGP was used, it is certainly possible that a weak passphrase was used and that it was broken with a dictionary attack.  I suspect that most people use fairly weak passphrases.  It is also possible that the passphrase was attained by using a rubber hose attack on the accused. 

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

SWendland's picture

From other articles, I read that he left breadcrumbs throughout his system regarding how he was encrypting/decrypting, storing, and sending his data.  While British law enforcement doesn't appear to have mentioned how they got into his PGP-encrypted folder - at least not in any of the new articles I've read - there is a lot leaning toward brute force.  Anyone given enough time can come up with the combination for a lock.

dfinkelstein's picture

There are no known breaks to the cryptography, and no known vulnerabilities in the implementation that would have assisted law enforcement.  Note that we still publish our source code for peer review.

There are tools out there that try to do an "intelligent" brute-force of your passphrase (e.g. by analyzing other available data and assuming that the passphrase you use is correlated).  Your best defense is always a strong passphrase, or the use of hardware (smart card) based keys.


David Finkelstein

Symantec R&D

Wolstan Dixie's picture

I did use a question mark, applying to both words - the article I cited doesn't say what encryption system he was using - if it was the best easily available I inferred PGP, and whatever it was it may not have been broken, but the length of time taken suggests it was.

Clearly the British police would have access to GCHQ / NSA and their Crays.  It struck me that nine months sounded about the right length of time for a sophisticated attack. A passphrase guessing attack surely wouldn't take that long?

Tom Mc's picture

Passphrases can be very secure, but people tend to use less secure ones due to not wanting to have to type in a long one, and concern about forgetting it.  When generating a new key, PGP has a bar that shows how your passphrase compares to a 128 bit AES key (which appears completely secure at this time).

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &