Hypothesis: PGP backdoor (was: A security bug in PGP products?)

Hello.

We discussed with V. Klima about the "recent"
bug in PGPdisk that 
allowed extraction of key and data without the knowledge of
passphrase. 
The result is a *very*wild*hypothesis*.

Cf. ht
tp://www.safehack.com/Advisory/pgp/PGPcrack.html

Question 1: why haven't anybody noticed in three months?
Why has not 
there been a serious notice about it?

According to the paper, both "standard" .pgd and
self-extracting SDA 
(self-decrypting archives) are affected. Systematic backdoor
maybe?

Possibilities:
1) it is a hoax. Though with very low probability. The text
seems to 
include a lot of work and makes perfect sense (REPE CMPS,
all the 
assembly), i.e. we suppose it is highly improbable that
somebody would 
make such hoax. This can be either proven or disproven
simply by 
checking the Win program using hex editor/debugger (using an
already 
downloaded copy). I haven't had the time to check it yet
(no Win).

2) AFAIK, Zimmerman is no longer in control of the company
making PGP. 
AFAIK the company (NAI) has been bought by another group
couple of years 
ago.

www.pgp.org says:

"
2002/03/08 - NAI drops PGP Desktop
2001/10/15 - NAI to sell PGP division
"

It may be therefore quite possible that NSA/CIA/FBI/etc.
couldn't force 
Zimmerman to compromise his own product directly, so they
have bought 
the company. The backdoor might have been introduced in the
latest 
releases (e.g. 8.x, 9.x).

3) there was a lazy programmer, or a programmer-infiltrator
from the 
ranks of intelligence services. What does one do when a
cryptosystem 
seems unbreakable? He circumvents it. AFAIK the code has
been checked 
many times in NAI, until some point in time.

As you all probably know, there has been a lot of mischief
around 
Zimmerman and PGP in the '90-ties. We don't think
NSA/CIA/FBI/etc would 
"just give up without fight". You know, the
"three-line PERL RSA 
implementations on T-shirts" and so on.

Code of PGPdisk 9.x looks like this according to the paper:
when the 
passphrase is changed, the key itself remains untouched. If
at least the 
encryption key has been encrypted by a symmetric key
generated e.g. by 
PBDFK2 from the passphrase.

----
Conclusion: it seems that NSA/CIA/FBI/etc. haven't called
truce. 
Thought, very clever solution. Nevertheless, nothing we
haven't had 
already seen in 1st/2nd world war tactics.

What do you think? Your input is welcome.

OM

P.S. sorry for any misspellings of names


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

On Thu, 24 Aug 2006, Ondrej Mikle wrote:

> 2) AFAIK, Zimmerman is no longer in control of the
company making PGP.
> AFAIK the company (NAI) has been bought by another
group couple of years
> ago.

The rescue of PGP from NAI's gross neglect and
mismanagement of the
product line was orchestrated by individuals involved in the
original PGP,
Inc. startup, and lead by respected cryptographic engineer
Jon Callas
(also known for being the editor of RFC 2440) and Phil
Dunkelberger (the
original PGP, Inc., CEO.) As part of their acquisition of
the PGP product
line, they hired (nearly?) the entire PGP programming team,
including such
familiar faces as Will Price and Hal Finney.

http://www
.pgp.com/company/management.html

As a former NAI employee who worked on the PGP products, I
firmly believe
the software is in far more capable hands now from a
management
standpoint. As a PGP Universal user, I'm delighted by the
significant
improvements in usability that the new management has
allowed the
engineering team to make. The myopia of NAI's executives
toward the
usability problems in PGP was one of the reasons I quit the
company in
frustration.

Also, for what it's worth, Phil was ousted from NAI in
2000, prior to the
discontinuation of NAI's commitment to the PGP product
line, but he *is*
involved with the current PGP Corporation, as a member of
the technical
advisory board.

http://www
.pgp.com/company/boards/tab.html

I also have no question, personally, that if there's a
backdoor in PGP,
neither Mr. Callas nor any of the PGP engineers I had the
pleasure to work
with know of it. Your theory is indeed wild, and though I
don't mean to
discourage vigilance in questioning these sorts of potential
subversions
of integrity in software as important as PGP, you might
consider doing
more research into the background of people against whom you
choose to
levy hypothetical accusations in public forums in the
future.


--Len.



------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

Len Sassaman wrote:
> On Thu, 24 Aug 2006, Ondrej Mikle wrote:
> I also have no question, personally, that if there's a
backdoor in PGP,
> neither Mr. Callas nor any of the PGP engineers I had
the pleasure to work
> with know of it. Your theory is indeed wild, and though
I don't mean to
> discourage vigilance in questioning these sorts of
potential subversions
> of integrity in software as important as PGP, you might
consider doing
> more research into the background of people against
whom you choose to
> levy hypothetical accusations in public forums in the
future.
> 

OK, thanks for answering. I had only very limited view of
the background 
behind PGP (i.e. stuff about NAI/PGP corp).

One last question: what about the PGPdisk SDA
(self-decrypting archives, 
i.e. executables)? There has been a claim that SDA archives
can be 
decrypted using a debugger. Is it true or false? See the
section "Two 
Ways to bypass PGP SDA Authentication and EXTRACT with
success" in the 
"advisory" h
ttp://www.safehack.com/Advisory/pgp/PGPcrack.html. Is
the 
guy confused again? 

Thanks
   OM

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

On 24 August 2006 03:06, Ondrej Mikle wrote:

> Hello.
> 
> We discussed with V. Klima about the
"recent" bug in PGPdisk that
> allowed extraction of key and data without the
knowledge of passphrase.
> The result is a *very*wild*hypothesis*.
> 
> Cf. ht
tp://www.safehack.com/Advisory/pgp/PGPcrack.html
> 
> Question 1: why haven't anybody noticed in three
months? Why has not
> there been a serious notice about it?

  Because it is completely incorrect.  Utterly wrong.  This
was explained on
this list just a couple of days ago, look for the thread
"A security bug in
PGP products?" in the list archives.

> According to the paper, both "standard"
.pgd and self-extracting SDA
> (self-decrypting archives) are affected. Systematic
backdoor maybe?

  No, the paper is wrong.  They aren't affected, you can't
break the
encryption on them, and therefore there is no backdoor.
 
> Possibilities:
> 1) it is a hoax. Though with very low probability. The
text seems to
> include a lot of work and makes perfect sense (REPE
CMPS, all the
> assembly), i.e. we suppose it is highly improbable that
somebody would
> make such hoax.

  It is not a hoax.  It is the work of an incompetent.  Like
many of those who
invent perpetual motion machines, he genuinely believes that
what he has done
is correct, but it isn't.  Unfortunately, but also very
much like many of
those who invent perpetual motion machines, when this is
pointed out to him he
assumes that everyone else is either stupid or malicious,
rather than accept
that his theory has a massive flaw which completely
undermines it.

>  This can be either proven or disproven simply by
> checking the Win program using hex editor/debugger
(using an already
> downloaded copy). I haven't had the time to check it
yet (no Win).

  Actually, it can't, because the instructions he has given
are not sufficient
to follow.  At the critical point, he says you must replace
the bytes where
the disk encryption key is stored.  Unfortunately, he cannot
tell you what to
replace them with, unless you already happen to have a copy
of the bytes
representing that *exact* *same* disk encryption key stored
*under* *a*
*known* *passphrase*, and that is why the only example on
his website that
"works" is the one where you change the
passphrase on a disk but don't
re-encrypt it.  He even admits that in all other cases you
will "extract
crap".

  Examine the instructions at
http://www.safehack.com/Advisory/p
gp/PGPcrack.html#Two_Ways_to_bypass_PGP_SDA_
Authentication

----------------------------------<quote>-------------
---------------------
"Two Ways to bypass PGP SDA Authentication and EXTRACT
with success


After spending a lot of time debugging and analyzing PGP
SDA, we came up with
a conclusion that we can successfully extract the contents
of PGP SDA in 2
ways.

1) Modifying the contents of the address 00890D70. (Screen
Capture)

The modification should be done in:
0040598F |. E8 AC3D0000 CALL filename_s.00409740

At: 00409740 /$ 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]

At this point change the contents of 00890D70.

After the bytes change, you will have to bypass
authentication. After
bypassing authentication you will be able to extract.

2) Modifying the contents of the address 00BAF670. (Screen
Capture)

The Modification should be done in:
0040595F FF15 90324100 CALL DWORD PTR DS:[413290]

At: 004019DA /$ FF7424 08 PUSH DWORD PTR SS:[ESP+8]

At this point change the contents of 00BAF670.
NOTE: At this point if you change the contents of 00BAF670,
you won't have to
bypass authentication, it will work like a charm, and it
will grant
auth/extract.  
----------------------------------<quote>-------------
---------------------

  Notice the crucial phrases "At this point change the
contents of 00890D70",
and "At this point change the contents of
00BAF670".  He gives you absolutely
no information what it is that you need to change those
bytes to.  Well, I can
tell you.  You have to change them to be the value of the
disk encryption key
as encrypted by whatever passphrase you chose to enter.  You
cannot do this
unless you already know the disk encryption key.

  In other words, if you already know the key to decrypt the
disk, you can
decrypt the disk.  If you don't, however, you can't.

  Examine the writing a bit further down the page, where it
says

----------------------------------<quote>-------------
---------------------
Accessing ANY PGP VIRTUAL Disk . (Need more testing and free
time, Check
Debugging Notes at the end)

At this point you can add users change existing users
passphrase Re-encrypt
disk and do other stuff. But when you try to access the disk
you will get Disk
is not formatted. This is when you need to use your
debugger.

----------------------------------<quote>-------------
---------------------

  Notice how he doesn't say what you need to *do* with the
debugger, so let me
explain what he has skipped over:  Using only your debugger,
you need to guess
the decryption key for the disk.  Think that's something
you can do with a
debugger?

  The author has made the *exact* same error as when someone
comes up with a
magical compression algorithm that they say can compress
absolutely any data
down to a tiny size.  They always get the data to compress,
sure, but they
always have problems with the decompression stage.  They
tend to think that
this is just a minor bug in their decompressor they need
more time to work on,
but no amount of time will let them work around the
fundamental mathematical
fact that they've not got sufficient information in their
compressed file to
reconstruct the original.

  Similarly, this author has successfully bypassed the
protection built into
pgp that prevents you mounting a disk using the wrong
encryption key, and has
decrypted a disk with the wrong key, getting garbage out. 
He thinks that he
has solved the big problem and now has just one small
problem left to solve.
However, the problem he has left to solve is in fact the
exact same one he had
to start with: how to decrypt a bunch of data when you have
no idea of the
key.  All he has done is decrypt a bunch of encrypted data
with the wrong key.
Given that symmetrical encryption is a group, effectively
he's randomised the
original key that was used to encrypt the data.  THIS is the
take-home point:-




  ***** He still can't decrypt it without guessing (i.e.
brute-forcing) an
encryption key the exact same size and strength as the
original. ***** 









> What do you think? Your input is welcome.

  All your speculation is based on the assumption that the
report is correct
and that therefore there must be an explanation of some sort
why the problem
has occurred.  But the report is not correct, the problem
has not occurred,
and therefore there is nothing to explain.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com

On 8/23/06, Ondrej Mikle <ondrej.miklegmail.com> wrote:
> We discussed with V. Klima about the
"recent" bug in PGPdisk that
> allowed extraction of key and data without the
knowledge of passphrase.

I skimmed the URL and it appears this claim was answered
several times
in the original thread.  Did you not read it, or not
understand it?

You have to have a valid passphrase from before the change,
because the
passphrase unlocks the disk key which doesn't change,
unless you explicitly
tell it to.
-- 
"If you're not part of the solution, you're part of
the precipitate."
Unix "guru" for rent or hire -><- http://www.li
ghtconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098
0C55 1484

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomometzdowd.com