SecurityvulnsSECURITYVULNS:DOC:1491[wsir-01/02-03] PGP 7.0 Split Key/Cached Passphrase Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TITLE: PGP 7.0 Split Key/Cached Passphrase Vulnerability
ADVISORY ID: WSIR-01/02-03
DISCOVERED BY: Patrik Birgersson, Wkit Security AB
CONTACT: [email protected]
CLASS: —
OBJECT: PGP Desktop Security 7.0
VENDOR: Network Associates Technology Inc.
STATUS: Vendor contacted
REMOTE: Yes
LOCAL: Yes
PUBLISHED: 2001-04-08
UPDATED: 2001-04-10
VULNERABLE: PGP Desktop Security 7.0
+ Windows 2000
INTRODUCTION
PGP Desktop Security 7.0 is a collection of encrypting software's. It can
be used for encryption of e-mails, files and network communications, based
on PKI. It also offers a personal firewall and intrusion detection (IDS).
PGP contain the possibility to use split keys for encryption/decryption
and digital signing. When creating a split key, you are asked to set up
how many different shares that will be required to rejoin the key.
The shares are saved as files either encrypted to the public key of a
shareholder or encrypted conventionally if the shareholder has no public
key.
After the key has been split, attempting to sign with it or decrypt with
it will automatically attempt to rejoin the key. There are two ways to
rejoin a key, locally and remotely. Rejoining key shares locally requires
the shareholders presence at the rejoining computer. Each shareholder is
required to enter the passphrase for his or her key share. Rejoining key
shares remotely requires the remote shareholders to authenticate and
decrypt their keys before sending them over the network. PGP's Transport
Layer Security (TLS) provides a secure link to transmit key shares, which
allows multiple individuals in distant locations to securely sign or
decrypt with their key share.
VULNERABILITY DESCRIPTION
Wkit Security AB has found that if any caching option in PGP Desktop
Security 7.0 is activated there is a vulnerability that allows a malicious
user to encrypt/decrypt or sign any file or e-mail with a split key that
has been previously authenticated by an appropriate number of split-key
shareholders.
VULNERABILITY EXAMPLE
User A, B, C and D has one share each of a split key (let's say a
corporate management key). The split key requires two shares to
authenticate in order to be operational.
User A asks user B to provide his/her share for encryption of the latest
economic forecast (let's say a PDF document). User B knows that this is a
document that needs to be encrypted and should not be accessible by one
single user, so he/she connects to user A's PGP network session and
supplies his/her share for the split key, thus enabling encryption of the
economic forecast (user A's share is of course also supplied).
Now, user A has the options "Cache passphrase while logged on" activated
in his/her PGP software. This will let user A to do "whatever" with the
split key.
Since user A in this example is malicious, he/she writes a press
announcement and signs it with the split key (corporate management key,
remember?). Imagine the impact a press announcement with negative (or any
other unwanted) information signed with a "trustable" key would have.
ADDITIONAL COMMENTS ON SPLIT KEYS
The concept of spilt keys/key shares that is used by PGP Desktop
Security 7.0 is not secure in itself, regardless of caching options
or any similar mechanism in thesoftware. A malicious user could replace
the PGP software with a modified version, thus "grabbing" the key shares
from other key shares holders.
There are systems that solve this problem. They allow each party to
receive a copy of the data that they wish to sign or encrypt, and they
can perform a partial operation on it using their share on a trusted
system.
They can then forward the partial result to the next user and so on until
all users required have processed the data. The last user will generate
the final encrypted or signed data.
Since none of the users revealed their share, nobody else and none of
them obtains a copy of the reconstructed secret you can reuse it as long
as you want.
PGP DESKTOP SECURITY 7.0 SOFTWARE VS THIS ADVISORY
The information within this advisory does not imply in any way that the
cryptographic algorithms used by the PGP software contains a
vulnerability.
This advisory points out a risk in the method that is used for split
keys, not necessarily limited to the PGP Desktop Security 7.0 software
package. Other encryption software packages may use the same method for
split keys, thus making them vulnerable to malicious users.
However, Wkit Security AB feels that the caching feature of PGP Desktop
Security 7.0 makes the process of retrieving/storing shares from a split
key so easy that no expert knowledge is needed to exploit this
vulnerability.
SOLUTION/VENDOR INFORMATION/WORKAROUND
The vendor was contacted via e-mail ([email protected]) on March 8,
2001. The vendor reply was:
"You have sent this message to corporate e-mail support. However, we were
not able to determine that you have a valid support contract, which
entitles you to corporate e-mail support.
If you are a retail customer who has purchased a product for home or
personal use, please direct your questions to our retail support center
at: [email protected].
If you are a corporate customer who has support, or would like to purchase
support, please call our customer service department. They will give you a
grant number, which is your key to corporate support. Please include this
number in future e-mailsupport questions.
Customer service can be reached by following the prompts at:
972-308-9960."
On March 12, 2001 the vendor was contacted again on
[email protected], without any reply at all.
On March 21, 2001 the vendor was contacted via phone and we spoke to
(according to them) a PGP developer. An e-mail containing all information
was sent to his personal address @nai.com.
On March 26, 2001 a new e-mail was sent to the personal e-mail address
of the person mentioned earlier, were we requested some comment or other
verification about this issue, but no reply has been sent to us.
In this mail we also reminded of the upcoming disclosure date, according
to the 30-day disclosure period Wkit Security AB uses (this section is
provided later on in this document).
Wkit Security AB has no knowledge of any solution or workaround for this
problem. Even if the vendor were to disable caching for split keys, it
would still be possible for a malicious user to write his/her own software
to "grab" the key shares.
If one wishes to utilize split keys, the use of a system that do not
require exposure of key shares is preferred.
CREDITS
This vulnerability was originally discovered and documented by Patrik
Birgersson of Wkit Security AB, Hеverud, Sweden.
Supplementary information and comments about this issue has been given by
Elias Levy of Security Focus (http://www.securityfocus.com) and moderator
of the Bugtraq mailing list.
Other advisories from Wkit Security AB can be obtained from:
http://www.wkit.com/advisories/
DISCLAMER
The contents of this advisory is copyright (c) 2001 Wkit Security AB and
may be distributed freely, provided that no fee is charged and proper
credit is given.
Wkit Security AB takes no credit for this discovery if someone else has
published this information in the public domain before this advisory was
released.
The information herein is intended for educational purposes, not for
malicious use. Wkit Security AB takes no responsibility whatsoever for the
use of this information.
ABOUT THE COMPANY
Wkit Security AB is an independent data security company working with
security-related services and products. Wkit Security AB plays a leading
role in the development of security thinking, regarding internal and
external data communication at companies and other organizations that
store sensitive information.
The company consists of two divisions: a service division, performing
security analysis and security reviews, and a product division. We work
together with strategic partners to bring programs and services into the
market. Our services and products are continuously developed to optimally
follow the world demand for IT security.
30-DAY DISCLOSURE
Whenever Wkit Security AB finds any security related flaws in operating
system, or application, we will provide the vendor responsible for the
product with a detailed Incident Report.
We believe that 30 days is appropriate for the vendor to fix the problem
before we publish the incident report on our own web page and other
mailing lists/websites we find suitable for the majority of the worldwide
users.
If the vendor has a reasonable cause why they can't fix the problem in 30
days we can, after discussion, agree on a longer disclosure time.
ACKNOWLEDGEMENTS
Wkit Security AB's highest priority is for the public security, and will
never release Incidents Reports without informing the vendor and give them
reasonable (30 day) time to fix the problem. In general, Wkit Security AB
follows the guidelines for reporting security breaches we found on the
vendors homepage or similar.
We urge vendors that in the same way we follow their guidelines, that the
vendor informs us about the solution; if possible, 2 days before the
fix/solution will be presented for the majority. This gives us the chance
to prepare our web page to inform about the Incident and to present a
solution in the way the vendor suggest at the time when it is present for
the majority.
CONTACT
Wkit Security AB should be contacted through [email protected] if no
other agreement has been done. Every incident report is assigned a report
number WSIR-xx/xx-xx (Wkit Security AB Incident Report) and one
responsible contact person from Wkit Security. When communicating with
Wkit Security AB in the matter of the Incident Reports, be sure to add the
WSIR number in the email to avoid any problems.
Wkit Security AB
Upperudsvдgen 4
S-464 72 Hеverud
SWEDEN
http://www.wkit.com
e-mail: [email protected]
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0
iQA/AwUBOtK7DgFyk+p4kGd0EQIXZACglghWnMPkmuw897urfM5vROPwQCUAoPHk
4wDOFasVFNN0W0vLphQi4rHq
=DGBe
-----END PGP SIGNATURE-----