SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   PGP Vendors:   Network Associates
PGP's Use of Split Keys and Caching Can Allow Unauthorized Local Users to Encrypt, Decrypt, or Sign Files and Messages
SecurityTracker Alert ID:  1001286
SecurityTracker URL:  http://securitytracker.com/id/1001286
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 10 2001
Impact:   User access via local system
Exploit Included:  Yes  
Version(s): PGP Desktop Security 7.0 on Windows 2000
Description:   Wkit Security issued an advisory for Network Associates PGP Desktop Security encryption software. The vulnerability allows unauthorized users in certain cases to encrypt, decrypt, and sign messages and files using keys that they do not otherwise have access to.

PGP reportedly allows the use of split keys for encryption/decryption and digital signing. When the keys are split, the split shares are saved as encrypted files. When a user attempts to sign or decrypt a file or an e-mail message with a split key, PGP will automatically attempt to rejoin the key.

Wkit Security reports that if any caching option in PGP has been activated, a malicious local user can then encrypt/decrypt or sign any file or e-mail message with a split key that has been previously authenticated by the split-key shareholders.

A more specific example is provided in the source message.

The vendor has reportedly been contacted.

Impact:   If any caching option in PGP has been activated and split keys are used, a malicious local user can then encrypt/decrypt or sign any file or e-mail message with a split key that has been previously authenticated by the split-key shareholders.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.pgp.com (Links to External Site)
Cause:   Access control error, Authentication error
Underlying OS:  Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  [wsir-01/02-03] PGP 7.0 Split Key/Cached Passphrase Vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




TITLE:          PGP 7.0 Split Key/Cached Passphrase Vulnerability
ADVISORY ID:    WSIR-01/02-03
DISCOVERED BY:  Patrik Birgersson, Wkit Security AB
CONTACT:        advisories@wkit.com
CLASS:          ---
OBJECT:         PGP Desktop Security 7.0
VENDOR:         Network Associates Technology Inc.
STATUS:         Vendor contacted
REMOTE:         Yes
LOCAL:          Yes
PUBLISHED:      2001-04-08
UPDATED:        2001-04-10
VULNERABLE:     PGP Desktop Security 7.0
                + Windows 2000



INTRODUCTION

PGP Desktop Security 7.0 is a collection of encrypting software's. It can
be used for encryption of e-mails, files and network communications, based
on PKI. It also offers a personal firewall and intrusion detection (IDS).
PGP contain the possibility to use split keys for encryption/decryption
and digital signing. When creating a split key, you are asked to set up
how many different shares that will be required to rejoin the key.
The shares are saved as files either encrypted to the public key of a
shareholder or encrypted conventionally if the shareholder has no public
key.
After the key has been split, attempting to sign with it or decrypt with
it will automatically attempt to rejoin the key. There are two ways to
rejoin a  key, locally and remotely. Rejoining key shares locally requires
the shareholders presence at the rejoining computer. Each shareholder is
required to enter the passphrase for his or her key share. Rejoining key
shares remotely requires the remote shareholders to authenticate and
decrypt their keys before sending them over the network. PGP's Transport
Layer Security (TLS) provides a secure link to transmit key shares, which
allows multiple individuals in distant locations to securely sign or
decrypt with their key share.



VULNERABILITY DESCRIPTION

Wkit Security AB has found that if any caching option in PGP Desktop
Security 7.0 is activated there is a vulnerability that allows a malicious
user to encrypt/decrypt or sign any file or e-mail with a split key that
has been previously authenticated by an appropriate number of split-key
shareholders.



VULNERABILITY EXAMPLE

User A, B, C and D has one share each of a split key (let's say a
corporate management key). The split key requires two shares to
authenticate in order to be operational.

User A asks user B to provide his/her share for encryption of the latest
economic forecast (let's say a PDF document). User B knows that this is a
document that needs to be encrypted and should not be accessible by one
single user, so he/she connects to user A's PGP network session and
supplies his/her share for the split key, thus enabling encryption of the
economic forecast (user A's share is of course also supplied).

Now, user A has the options "Cache passphrase while logged on" activated
in his/her PGP software. This will let user A to do "whatever" with the
split key.

Since user A in this example is malicious, he/she writes a press
announcement and signs it with the split key (corporate management key,
remember?). Imagine the impact a press announcement with negative (or any
other unwanted) information signed with a "trustable" key would have.



ADDITIONAL COMMENTS ON SPLIT KEYS

The concept of spilt keys/key shares that is used by PGP Desktop
Security 7.0 is not secure in itself, regardless of caching options
or any similar mechanism in thesoftware. A malicious user could replace
the PGP software with a modified version, thus "grabbing" the key shares
from other key shares holders.

There are systems that solve this problem. They allow each party to
receive a copy of the data that they wish to sign or encrypt, and they
can perform a partial operation on it using their share on a trusted
system.
They can then forward the partial result to the next user and so on until
all users required have processed the data. The last user will generate
the final encrypted or signed data.

Since none of the users revealed their share, nobody else and none of
them obtains a copy of the reconstructed secret you can reuse it as long
as you want.



PGP DESKTOP SECURITY 7.0 SOFTWARE VS THIS ADVISORY

The information within this advisory does not imply in any way that the
cryptographic algorithms used by the PGP software contains a
vulnerability.

This advisory points out a risk in the method that is used for split
keys, not necessarily limited to the PGP Desktop Security 7.0 software
package. Other encryption software packages may use the same method for
split keys, thus making them vulnerable to malicious users.

However, Wkit Security AB feels that the caching feature of PGP Desktop
Security 7.0 makes the process of retrieving/storing shares from a split
key so easy that no expert knowledge is needed to exploit this
vulnerability.



SOLUTION/VENDOR INFORMATION/WORKAROUND

The vendor was contacted via e-mail (pgpsupport@pgp.com) on March 8,
2001. The vendor reply was:

"You have sent this message to corporate e-mail support. However, we were
not able to determine that you have a valid support contract, which
entitles you to corporate e-mail support.
If you are a retail customer who has purchased a product for home or
personal use, please direct your questions to our retail support center
at: pgpsupport@pgp.com.
If you are a corporate customer who has support, or would like to purchase
support, please call our customer service department. They will give you a
grant number, which is your key to corporate support. Please include this
number in future e-mailsupport questions.
Customer service can be reached by following the prompts at:
972-308-9960."

On March 12, 2001 the vendor was contacted again on
technicalsupport@pgp.com, without any reply at all.

On March 21, 2001 the vendor was contacted via phone and we spoke to
(according to them) a PGP developer. An e-mail containing all information
was sent to his personal address @nai.com.

On March 26, 2001 a new e-mail was sent to the personal e-mail address
of the person mentioned earlier, were we requested some comment or other
verification about this issue, but no reply has been sent to us.
In this mail we also reminded of the upcoming disclosure date, according
to the 30-day disclosure period Wkit Security AB uses (this section is
provided later on in this document).


Wkit Security AB has no knowledge of any solution or workaround for this
problem. Even if the vendor were to disable caching for split keys, it
would still be possible for a malicious user to write his/her own software
to "grab" the key shares.

If one wishes to utilize split keys, the use of a system that do not
require exposure of key shares is preferred.



CREDITS

This vulnerability was originally discovered and documented by Patrik

Supplementary information and comments about this issue has been given by
Elias Levy of Security Focus (http://www.securityfocus.com) and moderator
of the Bugtraq mailing list.

Other advisories from Wkit Security AB can be obtained from:
http://www.wkit.com/advisories/



DISCLAMER

The contents of this advisory is copyright (c) 2001 Wkit Security AB and
may be distributed freely, provided that no fee is charged and proper
credit is given.

Wkit Security AB takes no credit for this discovery if someone else has
published this information in the public domain before this advisory was
released.

The information herein is intended for educational purposes, not for
malicious use. Wkit Security AB takes no responsibility whatsoever for the
use of this information.



ABOUT THE COMPANY

Wkit Security AB is an independent data security company working with
security-related services and products. Wkit Security AB plays a leading
role in the development of security thinking, regarding internal and
external data communication at companies and other organizations that
store sensitive information.

The company consists of two divisions: a service division, performing
security analysis and security reviews, and a product division. We work
together with strategic partners to bring programs and services into the
market. Our services and products are continuously developed to optimally
follow the world demand for IT security.



30-DAY DISCLOSURE

Whenever Wkit Security AB finds any security related flaws in operating
system, or application, we will provide the vendor responsible for the
product with a detailed Incident Report.

We believe that 30 days is appropriate for the vendor to fix the problem
before we publish the incident report on our own web page and other
mailing lists/websites we find suitable for the majority of the worldwide
users.

If the vendor has a reasonable cause why they can't fix the problem in 30
days we can, after discussion, agree on a longer disclosure time.



ACKNOWLEDGEMENTS

Wkit Security AB's highest priority is for the public security, and will
never release Incidents Reports without informing the vendor and give them
reasonable (30 day) time to fix the problem. In general, Wkit Security AB
follows the guidelines for reporting security breaches we found on the
vendors homepage or similar.

We urge vendors that in the same way we follow their guidelines, that the
vendor informs us about the solution; if possible, 2 days before the
fix/solution will be presented for the majority. This gives us the chance
to prepare our web page to inform about the Incident and to present a
solution in the way the vendor suggest at the time when it is present for
the majority.



CONTACT

Wkit Security AB should be contacted through advisories@wkit.com if no
other agreement has been done. Every incident report is assigned a report
number WSIR-xx/xx-xx (Wkit Security AB Incident Report) and one
responsible contact person from Wkit Security. When communicating with
Wkit Security AB in the matter of the Incident Reports, be sure to add the
WSIR number in the email to avoid any problems.



***************************************************************************
Wkit Security AB
SWEDEN

http://www.wkit.com
e-mail: advisories@wkit.com
***************************************************************************



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOtK7DgFyk+p4kGd0EQIXZACglghWnMPkmuw897urfM5vROPwQCUAoPHk
4wDOFasVFNN0W0vLphQi4rHq
=DGBe
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC