Q
Problem solve Get help with specific problems with your technologies, process and projects.

PGP keys: Can accidental exposures be mitigated?

The accidental publication of an Adobe private key could have put the company in jeopardy. Matt Pascucci explains how it happened and how to better protect PGP keys.

Adobe accidentally published one of its private PGP keys on the company's Product Security Incident Response Team...

blog. What steps should be taken when PGP keys are accidentally exposed? And are there any ways to prevent information like this from being published in content management systems?

Recently, security researcher Juho Nurminen attempted to contact Adobe via their Product Security Incident Response Team (PSIRT) regarding a security bug he wanted to report. Instead, he stumbled across something much more vulnerable.

It turns out that Adobe not only published their public key on their website, which is used to send encrypted emails, but the corresponding private PGP keys, as well. After being contacted privately by Nurminen, Adobe moved quickly to revoke the key and had it changed.

The risks of having the entire key pair published on the site could have led to phishing, decryption of traffic, impersonation, and spoofed or signed messages from Adobe's PSIRT. This was extremely embarrassing for Adobe; however, their ability to act quickly was their saving grace.

One thing that they did right was putting a passphrase on the certificate because, without it, the Adobe private key is useless to those with malicious intent. This is one step that every organization should take to protect against the accidental release of a certificate or having an attacker gain access to keys and attempt to use them maliciously. Be warned though -- having a passphrase on a certificate for security is only as good as the passphrase it's being secured with, and a weak passphrase increases the probability of it being brute-forced.

Having procedures in place to quickly revoke PGP keys when needed should be part of your organization's incident response plan. This might not be a common occurrence for many people; however, being able to manage certificates in an expedited fashion could not only save your organization, but could also stop those with malicious intent from attempting to impersonate you.

Having procedures in place to quickly revoke PGP keys when needed should be part of your organization's incident response plan.

Acting quickly is extremely important. Luckily, the Adobe private key had limited use -- the certificate was only being used for email communication for the PSIRT, so it wasn't as publically used as some of their other certificates.

As for how the certificate was published in the first place, that's a different issue -- I'd be very curious to know why this certificate was sent in the first place, and who sent it. There should be some type of privileged access in place for these certificates internally, which I'm assuming is a different department from those managing the CMS.

I understand things can accidentally be miscommunicated or published, but there seems to have been a few breakdowns in the communication process for the Adobe private key to have been published to the internet. I'm hoping Adobe was able to learn from the experience, make adjustments and tighten their security.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn how to protect PGP short keys

Discover how encryption algorithms differ

Read why the SHA-1 hashing algorithm was depreciated

This was last published in December 2017

Dig Deeper on Email and messaging threats

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your organization have procedures in place in case any private PGP keys are exposed, such as when the Adobe private key was leaked?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close