GCHQ has updated details on its website after it denied that an expired PGP key was offered for secure communication.
Researcher Terence Eden told IT Security Guru that when he contacted GCHQ and asked for a public key with which he could encrypt communications, he was directed to a key on their website which had expired a few days earlier.
In response, GCHQ denied that this was the case. A GCHQ spokesman said: “The key on the website that you refer to was replaced well before its expiry date and the new one has been in operation for some time. The details on the website have been updated. These details were for information only and did not constitute a security risk.”
Eden said that he expected this response, but stood by his discovery of a key that expired on 31st January 2014.
A source told IT Security Guru that this is a common problem of certificates and encryption keys, that often the bills are not paid and things are allowed to lapse. Penetration tester and security researcher Robin Wood said that this was more a case of a “slight embarrassment than any kind of risk”.
“I’d guess the reason for using PGP is to make sure the malware can’t accidentally be ran or picked up and cleaned by malware scanners between the sender and CESG. In that case the certificate being out of date doesn’t really matter as the sample is still protected. In a web app, an out of date certificate is more serious as it is easier for an attacker to do a man-in-the-middle attack, in this case that type of attack is almost impossible to pull off,” he said.
In an email to IT Security Guru, Brian Honan, CEO of BH Consulting, said that this is not something that is best practise and it is advisable that people renew their PGP keys on a regular basis in order to ensure they are using the latest and strongest encryption techniques.
“When retiring and expired keys, good practise would be that the new replacement key is generated a few weeks before the expiration date for the old key. The new PGP key should then be signed (validated) by the old PGP key before it expires so that there is a continuity of security and service,” he said.
“If the key has expired it can still be used to send and receive encrypted ema
il. However, the issue is can those sending/receiving email to the account with the expired key continue to trust that key? Also once the key expires it could be possible for an attacker to create a fake PGP key in an attempt to impersonate the user.
“Without the original key to sign a new key, those wishing to correspond with the genuine key owner have no direct way to verify which new key is valid, the user’s key or that generated by the attacker. They would be other ways to confirm the genuine key holder, e.g. phone call with a known number for the person, but it would take additional effort to do so.”