From advisories@WKIT.COM Tue Apr 10 10:40:39 2001 From: advisories@WKIT.COM To: BUGTRAQ@SECURITYFOCUS.COM Date: Tue, 10 Apr 2001 10:07:22 +0200 Subject: [BUGTRAQ] [wsir-01/02-03] PGP 7.0 Split Key/Cached Passphrase Vulnerability [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 TITLE: PGP 7.0 Split Key/Cached Passphrase Vulnerability ADVISORY ID: WSIR-01/02-03 DISCOVERED BY: Patrik Birgersson, Wkit Security AB CONTACT: advisories@wkit.com CLASS: --- OBJECT: PGP Desktop Security 7.0 VENDOR: Network Associates Technology Inc. STATUS: Vendor contacted REMOTE: Yes LOCAL: Yes PUBLISHED: 2001-04-08 UPDATED: 2001-04-10 VULNERABLE: PGP Desktop Security 7.0 + Windows 2000 INTRODUCTION PGP Desktop Security 7.0 is a collection of encrypting software's. It can be used for encryption of e-mails, files and network communications, based on PKI. It also offers a personal firewall and intrusion detection (IDS). PGP contain the possibility to use split keys for encryption/decryption and digital signing. When creating a split key, you are asked to set up how many different shares that will be required to rejoin the key. The shares are saved as files either encrypted to the public key of a shareholder or encrypted conventionally if the shareholder has no public key. After the key has been split, attempting to sign with it or decrypt with it will automatically attempt to rejoin the key. There are two ways to rejoin a key, locally and remotely. Rejoining key shares locally requires the shareholders presence at the rejoining computer. Each shareholder is required to enter the passphrase for his or her key share. Rejoining key shares remotely requires the remote shareholders to authenticate and decrypt their keys before sending them over the network. PGP's Transport Layer Security (TLS) provides a secure link to transmit key shares, which allows multiple individuals in distant locations to securely sign or decrypt with their key share. VULNERABILITY DESCRIPTION Wkit Security AB has found that if any caching option in PGP Desktop Security 7.0 is activated there is a vulnerability that allows a malicious user to encrypt/decrypt or sign any file or e-mail with a split key that has been previously authenticated by an appropriate number of split-key shareholders. VULNERABILITY EXAMPLE User A, B, C and D has one share each of a split key (let's say a corporate management key). The split key requires two shares to authenticate in order to be operational. User A asks user B to provide his/her share for encryption of the latest economic forecast (let's say a PDF document). User B knows that this is a document that needs to be encrypted and should not be accessible by one single user, so he/she connects to user A's PGP network session and supplies his/her share for the split key, thus enabling encryption of the economic forecast (user A's share is of course also supplied). Now, user A has the options "Cache passphrase while logged on" activated in his/her PGP software. This will let user A to do "whatever" with the split key. Since user A in this example is malicious, he/she writes a press announcement and signs it with the split key (corporate management key, remember?). Imagine the impact a press announcement with negative (or any other unwanted) information signed with a "trustable" key would have. ADDITIONAL COMMENTS ON SPLIT KEYS The concept of spilt keys/key shares that is used by PGP Desktop Security 7.0 is not secure in itself, regardless of caching options or any similar mechanism in thesoftware. A malicious user could replace the PGP software with a modified version, thus "grabbing" the key shares from other key shares holders. There are systems that solve this problem. They allow each party to receive a copy of the data that they wish to sign or encrypt, and they can perform a partial operation on it using their share on a trusted system. They can then forward the partial result to the next user and so on until all users required have processed the data. The last user will generate the final encrypted or signed data. Since none of the users revealed their share, nobody else and none of them obtains a copy of the reconstructed secret you can reuse it as long as you want. PGP DESKTOP SECURITY 7.0 SOFTWARE VS THIS ADVISORY The information within this advisory does not imply in any way that the cryptographic algorithms used by the PGP software contains a vulnerability. This advisory points out a risk in the method that is used for split keys, not necessarily limited to the PGP Desktop Security 7.0 software package. Other encryption software packages may use the same method for split keys, thus making them vulnerable to malicious users. However, Wkit Security AB feels that the caching feature of PGP Desktop Security 7.0 makes the process of retrieving/storing shares from a split key so easy that no expert knowledge is needed to exploit this vulnerability. SOLUTION/VENDOR INFORMATION/WORKAROUND The vendor was contacted via e-mail (pgpsupport@pgp.com) on March 8, 2001. The vendor reply was: "You have sent this message to corporate e-mail support. However, we were not able to determine that you have a valid support contract, which entitles you to corporate e-mail support. If you are a retail customer who has purchased a product for home or personal use, please direct your questions to our retail support center at: pgpsupport@pgp.com. If you are a corporate customer who has support, or would like to purchase support, please call our customer service department. They will give you a grant number, which is your key to corporate support. Please include this number in future e-mailsupport questions. Customer service can be reached by following the prompts at: 972-308-9960." On March 12, 2001 the vendor was contacted again on technicalsupport@pgp.com, without any reply at all. On March 21, 2001 the vendor was contacted via phone and we spoke to (according to them) a PGP developer. An e-mail containing all information was sent to his personal address @nai.com. On March 26, 2001 a new e-mail was sent to the personal e-mail address of the person mentioned earlier, were we requested some comment or other verification about this issue, but no reply has been sent to us. In this mail we also reminded of the upcoming disclosure date, according to the 30-day disclosure period Wkit Security AB uses (this section is provided later on in this document). Wkit Security AB has no knowledge of any solution or workaround for this problem. Even if the vendor were to disable caching for split keys, it would still be possible for a malicious user to write his/her own software to "grab" the key shares. If one wishes to utilize split keys, the use of a system that do not require exposure of key shares is preferred. CREDITS This vulnerability was originally discovered and documented by Patrik Birgersson of Wkit Security AB, Håverud, Sweden. Supplementary information and comments about this issue has been given by Elias Levy of Security Focus (http://www.securityfocus.com) and moderator of the Bugtraq mailing list. Other advisories from Wkit Security AB can be obtained from: http://www.wkit.com/advisories/ DISCLAMER The contents of this advisory is copyright (c) 2001 Wkit Security AB and may be distributed freely, provided that no fee is charged and proper credit is given. Wkit Security AB takes no credit for this discovery if someone else has published this information in the public domain before this advisory was released. The information herein is intended for educational purposes, not for malicious use. Wkit Security AB takes no responsibility whatsoever for the use of this information. ABOUT THE COMPANY Wkit Security AB is an independent data security company working with security-related services and products. Wkit Security AB plays a leading role in the development of security thinking, regarding internal and external data communication at companies and other organizations that store sensitive information. The company consists of two divisions: a service division, performing security analysis and security reviews, and a product division. We work together with strategic partners to bring programs and services into the market. Our services and products are continuously developed to optimally follow the world demand for IT security. 30-DAY DISCLOSURE Whenever Wkit Security AB finds any security related flaws in operating system, or application, we will provide the vendor responsible for the product with a detailed Incident Report. We believe that 30 days is appropriate for the vendor to fix the problem before we publish the incident report on our own web page and other mailing lists/websites we find suitable for the majority of the worldwide users. If the vendor has a reasonable cause why they can't fix the problem in 30 days we can, after discussion, agree on a longer disclosure time. ACKNOWLEDGEMENTS Wkit Security AB's highest priority is for the public security, and will never release Incidents Reports without informing the vendor and give them reasonable (30 day) time to fix the problem. In general, Wkit Security AB follows the guidelines for reporting security breaches we found on the vendors homepage or similar. We urge vendors that in the same way we follow their guidelines, that the vendor informs us about the solution; if possible, 2 days before the fix/solution will be presented for the majority. This gives us the chance to prepare our web page to inform about the Incident and to present a solution in the way the vendor suggest at the time when it is present for the majority. CONTACT Wkit Security AB should be contacted through advisories@wkit.com if no other agreement has been done. Every incident report is assigned a report number WSIR-xx/xx-xx (Wkit Security AB Incident Report) and one responsible contact person from Wkit Security. When communicating with Wkit Security AB in the matter of the Incident Reports, be sure to add the WSIR number in the email to avoid any problems. *************************************************************************** Wkit Security AB Upperudsvägen 4 S-464 72 Håverud SWEDEN http://www.wkit.com e-mail: advisories@wkit.com *************************************************************************** -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOtK7DgFyk+p4kGd0EQIXZACglghWnMPkmuw897urfM5vROPwQCUAoPHk 4wDOFasVFNN0W0vLphQi4rHq =DGBe -----END PGP SIGNATURE-----