

German intelligence agencies can decrypt PGP (Google translate) - ungerik
http://translate.google.com/translate?sl=de&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.golem.de%2Fnews%2Fbundesregierung-deutsche-geheimdienste-koennen-pgp-entschluesseln-1205-92031.html

======
nhaehnle
Most likely they just don't know what they're talking about. This is a
government answer to a question posed by parliament, which means that it
probably went through a lot of hands, most of which don't even know what PGP
stands for, let alone what the technology does.

The statement itself is very vague anyway, saying that "it depends on the
strength and the quality of the encryption". Which most likely translates to:
they cannot actually break PGP, but they have some tricks to get key material
via other means, and then obviously they can decrypt.

~~~
pmjordan
In addition to weak keys, I would not be surprised if most of the time they
actually just steal the keys off the subject's system (and install keyloggers
for catching the passphrase). The "Bundestrojaner" (federal trojan) has been
widely reported and even if the police no longer use that particular software,
I'm sure the secret service have their own, similar tools.

The other thing is that often, knowing _who_ the subject is talking to and
_when_ is probably half the battle. PGP doesn't intrinsically protect against
that.

~~~
eblackburn
Agreed. No matter how complex they key, phyiscal security can nearly always be
broken. From mysterious breaks ins to _we have ways of making you talk_

------
JoachimSchipper
Note that "depending on the type and quality of the encryption" can mean "if
you use 512-bit keys" (or e.g. use weak entropy to generate the keys). Indeed,
that's the likely explanation - if Germany really figured out how to decrypt
best-practice PGP, they wouldn't be blabbing about it.

(Also note that the Subject: line is unencrypted by design.)

------
justanother
Understand that Western governments have had legal access to rubber-hose
cryptography for some time. Inasmuch as a person may be beaten with a rubber
hose until the passphrase is revealed, I've no doubt they are able to break
PGP.

------
phaer
I think the title sounds much to factual for such a vague statement. They that
they are _in principle_ able to decrypt _such encryption_ , that can mean
anything from "we can if the key is weak" over "there is a law which permits
us to install a backdoor on your pc" to "we can beat you up until you tell us
your password".

And it is in the best interest of german intelligence agencies to make such a
vague statement. If they would admit that they are unable to break pgp, that
would be taken as a software recommendation by everyone who is afraid of them.

------
raverbashing
"Can decrypt" is a phrase that gives many interpretations

For example, SSH, can you do a MITM? Can you decode a pcap dump? Only for a
specific crypt?

Same thing with a PGP, if you have resources you can certainly throw several
machines at a dictionary attack and can come with a decryption for most cases
(after a long time).

~~~
Joeboy
> "Can decrypt" is a phrase that gives many interpretations

It's also not the phrase that Google translate gives me - I get "at least
partially and / or evaluate", which could refer to lots of things, eg. traffic
analysis.

Also... anybody with a copy of PGP (or GPG) can decrypt PGP'ed messages. PGP
would be rather pointless otherwise.

Edit: Also there's a pretty good chance it's just plain old fashioned
bollocks.

------
jstanley
Does anyone know if this is true? Is it a side-channel attack? The translated
English is pretty hard to make sense of.

~~~
dhoe
No, it's not true. Some minor news outlet misunderstanding things.

~~~
leh
Or some major politicians :)

------
DasIch
The answer given is so vague and devoid of meaning they could just as well
have answered with a "Some times may be". I don't see any reason to be
concerned about the security of PGP.

------
blablabla123
Does now every crap get voted to the top on HackerNews?

------
hnwh
The NSA have been saying for years that PGP was just that - "Pretty Good"

