The (admittedly somewhat less salubrious) elements of the web were briefly intrigued over the weekend with the rumour that German intelligence services had ‘cracked’ PGP. Whilst probably not of immediate concern to anyone not currently shifting large amounts of money out of Greece, there’s clearly a twinge of unease that the common man’s encryption method of choice might be vulnerable. After all, the inevitable trickle down of technology suggests that whilst it might start with just the Militärischer Abschirmdienst being able to read your bank details, eventually someone in the Ivory Coast will be using the same methods to top up their phone with your cash.
Anyway, from a quick scan of t’web last night it appears to be some significant sausage waving with limited actual fact. It stemmed from a Google translated sentence ‘The federal government declared that its intelligence agencies generally are able, to decrypt PGP and Secure Shell, at least in part’. Given a standard PGP-encrypted message doesn’t hide the sender, recipient, subject or time sent, that’s probably enough to justify the ‘at least in part’ with any expenditure of effort. Beyond that, the standard Government approach to decrypting PGP content appears to be using keyloggers etc to capture keyring passwords (see United States vs Scarfo), legally requiring someone to reveal a password (United States vs Boucher, UK use of RIPA legislation) or somewhat less subtle means (see rubber-hose cryptanalysis). All of which have the potential to result in access to encrypted content, and none of which suggest there is any risk to the average user at the moment.
So we can all keep communicating bank details (or just generally communicating if you’re in China) via emails in safety a little while longer.