PGP Man in the Middle Attack
There is a fairly major hole in PGP that I have not seen published to date. PGP is based on IDEA and is an asymmetric public algorithm. The problem, as is true with most cryptographic implementations, is the implementation itself, not the algorithm.
Alice = (message sender who has a compromised network)
Bob = (message recipient)
Cathy = (wo/man in the middle)
In a normal environment, under the best circumstances, Cathy is a MITM after the fact, and PGP is not vulnerable to MITM attacks:
Let's assume in this scenario that Cathy has access to either Alice's or Bob's network (classic MITM) before either start transmitting keys.
The foundation of trust is another problem. If Bob looks at the certificate, it is possible that even it is signed by other people he knows (all of whom are being attacked in the same manner). Although this scenario is less likely, it is possible.
The basic issue is that the user must transmit a public key somewhere, and any location can be compromised. Consider another scenario where Bob puts his public key on a webserver that only he controls. When Alice connects to it from her compromised network, Cathy simply displays a different key to Alice. There is no easy way around this form of attack, other than out of band mechanisms, where Cathy has no control.
I have spoken with a few people about this who believe this is may only be a minor issue. However, being that the entire reason PGP was invented is to prevent eavesdropping, and this method allows for a 100% seamless MITM attack, and most importantly considering the widespread use of this application this is the largest issue today in any wide-spread asymmetric cryptographic implementation.
Note: Some people have commented that I am "ignorant" of the web of trust concept. Clearly these individuals have not read my paper (or at least not with an open mind). This is a hole in situations where you do NOT know the person or anyone they know. To quote myself, "In a normal environment, under the best circumstances, Cathy is a MITM after the fact, and PGP is not vulnerable to MITM attacks." This is only a vulnerability in new communications with people you don't know (or don't know well) and to whom you have no common friend.
Also it should be noted that the web of trust concept only works on keys that aren't new. How many times have you asked someone, "Please go install PGP." so that you could communicate with them securely? These are the users with whom communications are vulnerable. For instance, to my knowledge no one has ever signed any of my keys. I wouldn't have written this paper if I hadn't been able to do this myself bringing it beyond the theoretical and into the practical. To these individuals, please read the paper before you pass judgement.