Slashdot Mirror
Schneier et al Report PGP Vulnerability
SpaceTaxi writes: "Researchers reported that they were able to intercept and modify a PGP encrypted message so that, IF it is sent back to the attacker, the original message could be read by the attacker." The paper comes from Kahil Jallad, Jonathan Katz, and Bruce Schneier. Here is the Yahoo! article.
Now that the interview isn't the main focus, downmod all score:5's and the other moderators will never notice!!
The flaw affects software using Pretty Good Privacy, the most popular tool for scrambling e-mail.
Only the PGP *program* seems to be affected, not the actual OpenPGP standard. Thank god.
...bad!
There a HUGE amount of highly classified material communicated with the help of PGP. On the other hand, most people don't realize how much highly classified material is sent without encryption at all.
leaving the door open for instances like this.
PEBKAC conquers all, as usual.
Cretin - a powerful and flexible CD reencoder
... he hasn't posted an article since Jul 15th!
Is he still employed with OSDN??
Inquiring minds want to know!
Good quote, too many chars. Seriously, the slashdot 120 char limit sucks!
ENCRYPTED.TXT ...but it is corrupt. Could you please send me a copy?
Here is my public PGP key:
It's not even based on the Navajo language! No wonder it's vulnerable!!!
First the SSL bug, now this? Looks like we have to go back to two paper cups and a piece of string for sending encrypted messages to each other...
Aw, fuck it. Let's go bowling. - The Big Lebowski
the DMCA!
ooooOOOOOOooooooo
The greatest right given is the right to be wrong...
Where's the 9/11 reference? I couldn't find it anywhere...
Every day it seems like there is some new vulnerability discovered in one of our beloved secure communication tools/protocols (PGP, SSL, SSH, etc). This really hurts me a lot, as I feel my trust has been shattered.
For this reason, I ask... no beg... all hackers, researchers, programmers, etc to please stop reporting these security problems. Find something? Keep it quiet! Don't tell anyone, and then no one will know, and we'll all still be safe. Maybe in a few years, you can quietly patch it up, and we'll all go on like nothing has happened. Sound good?
Let's all follow Microsoft's lead on this one. Thanks guys!
Before people jump on this -- yes, it's old news, and it doesn't only affect PGP. But this is something which hasn't gotten the attention it deserves. Many people are still working with dual key support and don't even know it.
Damn, now we'll never get to shut him up on sci.crypt.
Nonetheless, an update to the OpenPGP standard was to be released Monday to coincide with the announcement of the flaw. Many developers already have begun to write software fixes, Callas said.
looks like it might be a little more then something just in PGP, if they are releasing an update to the
openPGP standard.
altho i suspect PGP is the "most" vulenerable to this , It would be interesting to see what other openPGP software is really effected.
Nex6
...Jonathan Katz...
Anyone wanna bet they called him Jon Katz before the idiot reporter on this site ruined his good name?!?
i'm not sure, but i think he's been spending a little vacation with some hacker friends in Afghanistan.
Cretin - a powerful and flexible CD reencoder
The abstract of the paper suggests that the attacks largely fail when the data is compressed before encryption. From the GNU Privacy Guard manpage of version 1.0.7, the default is to use RFC1950 compression (which is ZLIB compressed data format) and the default compression level of the zlib library (normally 6). Note that all this applies to GNU Privacy Guard 1.0.7. According to the same manpage, the NAI PGP implementation uses RFC1951 compression, which is the DEFLATE compressed data format.
Banu
I had been wondering what John Katz has been up to, so it's good to hear that he's been keeping busy. Now perhaps he'll have some time to review some movies; I've been seeing entirely too many, since I don't know what NOT to watch anymore ;)
I use alcohol to encrypt my email messages to specific people, people like ex-gfs, college professors, old bosses, etc. Example: Ihate tyou. WHY doaNt you JSust dddieee!@#! My MMMOOOM tlds mee yYoyu wass BadDS KNwesss. True its not the as secure as PGP but it has it's uses.
From CNN here.
I thought he was just a bloviated wannabe essayist, not a crypto analyst. Surely this can't be the same guy...
DO NOT LEAVE IT IS NOT REAL
Errata from the desk of Bruce Schneier: Pay no attention to p. 584-587 of Applied Cryptography - 2nd Edition... I didn't know what I was talking about... now I do.
come on fhqwhgads
Imagine a user who has configured his software to automatically decrypt any encrypted e-mails he receives.
An adversary intercepts an encrypted message C sent to the user and wants to determine the contents P of this message.
To do so, the adversary creates some new C and sends it to the user; this message is then automatically decrypted by the user s computer and the user is presented with the corresponding message P
To the user, P appears to be garbled; the user therefore replies to the adversary with, for example, What were you trying to send me? , but also quotes the garbled message P
Thus, the user himself unwittingly acts as a decryption oracle for the adversary.
PGP and GnuPG use both symmetric and asymetric encryption algorithms to encrypt data. First a random key (S) is generated and the data (C) encrypted with it (giving you C'). The symetric key is then encrypted using the asymetric key (public key) giving you S'. When the sessage is sent the encrypted key S' is sent along with the data.
What appears to be happening is that Mr Schneier and buddies have figured out a way to create a data part C', so that when it is decrypted, the orinal symmetric key (S) can be obtained from it.
This means that :
Even if someone tricks you into decrypting a message for him, then that attack will only reveal the contents of that particilar message. (your private key, and all other encrypted data, is still safe)
PGP has not be 'broken', nobody can read you encrypted emails without your help.
This is not the end of PGP/GnuPG.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
For my own sake, because I may not be reading this right:
If someone manages to get me to send (them? anyone?) a message they already know the contents of encrypted with (my?, the person I'm sending the message to?)'s private key then they can decrypt the message and (read it?, figure out the private key?).
1.) This seems pretty unlikely to work, unelss minor modifications don't bother the attack (like adding a > in front of each line of the previous email)
2.) let's say john.doe@someplace.com sends me a message and it's encrypted and signed. If I accept it and it shows that john.doe@someplace.com's signature is valid (which it must or I will delete it) then how can the attacker know the contents of the email unless they have already managed to get john.doe@someplace.com's private key? If they already have his private key, then they can decrypt any message I send to him anyhow. I don't really see how they could get my private key and at this point, if I can't trust john.doe@someplace.com and I send him an email then my comprimise is an issue of trust rather than a PGP flaw.
Please clue me in if there is anything in this that I have not really understood.
My $0.02 will always be worth more than your â0.02, so
It's nice to see someone's name in a slashdot story that you know for once. Just though I'd give Kahil some props ....
of an earlier announcement of a vulnerability here found by some folks at Bell Labs.
So is this new (albeit social engineering) vulnerability just "asking the million questions" in one shot?
"Provided by the management for your protection."
What are they teaching you kids in school these days? Let's try that again:
Security is a process, not a technology.
If Typical User of E-Mail Encryption Software is not educated in good security practices, then there's no technology in the world that's going to help him out. Plug up one "naivety" hole? Wow, I guarantee you he'll find 100 more. Teach him about security processes, not technologies.
Maybe they'll throw JonKatz in jail. Well a geek can hope can't he?
Yeah, I know this is a troll. But I have karma to burn. And if I'm gonna burn karma, I can't think of a better way than by trolling JonKatz.
This type of attack was mentioned in Applied Cryprography by Schneier himself, p42.....
Yawn....
A news.com article discusses two separate new flaws found in Flash Player. One allows malicious code to be run on Windows/Unix OSes. The other allows an attacker to read files on a person's local hard drive. For the first flaw, All Windows and Unix versions of Flash Player before 6,0,40,0, are affected. Any application capable of reading SWF files (email, instant messenger, browser) can be used. For the second, it relies on the XML functionality of Flash Player 6 and tricks the browser into reading local files.
So, if I were to create my own encryption, Would it be better then someone elses that is widely spread? what all would it take to make it really secure?
Help me out here I'm thinking of doing something like this for a portal system I'm itching to write in perl possibly having 2 different encryptions, everything goes through the first encryption so the entire database is encrypted, then all passwords, etc. go through a 2nd encryption algorithm after the first to make them more secure, Does this seem like a good idea?
You know, I have one simple request. And that is to have sharks with frickin' laser beams attached to their heads!
Please, read this article a with an eye to word meanings and English usage.
This is a setup and usage problem in the email client, not in a flaw in PGP.
If a person is fool enough to leave their keyring available to the mail client (that's what the floppy disk in my pocket is for), to not remove their passphrase from memory, and to automatically include the plain-text version of an encrypted message when replying, they deserve no security.
This so-called "flaw" in PGP is on a par with calling an OUTLOOK email flaw a virus.
As the article notes, this isn't a new attack; Schneir and Katz had a paper on the general principle two years ago; it has been up on the Counterpane Labs site for some time now.
BTW, you don't get S, the session key. You get a new message, P which is related to M in a manner you chose.
Easy example (not real life): Suppose the message C is encrypted using any algorithm in Electronic Code Book mode. To sucker the user into decrypting that, I send him a message C' which includes all the ciphertext blocks which were in the original message C (but not in the same order). He decrypts that (giving P) and quotes it back to me as a garbled message. I now build a codebook with P and C', and use that to decrypt C.
If another mode is used, as in PGP, a more complicated method of constructing C' is required (and is given in the paper), but it still works.
http://news.com.com/2100-1001-949368.html
Archie - CIO-for-hire
I know it's off topic, but since everyone seems to have pop-ups here with such a passion, why doesn't Slashdot adopt a policy to not link to stories (like this) at Yahoo!, who has pop-ups, and instead only link to sites that are pop-up free? I'm sure this story is going to be picked up by many other sites, but Yahoo! will get all that traffic, and keep serving up the pop-up ads, as we all go there.
Was the inclusiion of Jon Katz in the study.
I assume they used all his civil rights encrypted emails from his excellent Hellmouth series to demonstrate the exploit.
I would be surprised if he actually had time to study anything between his pandering to children, and RPG'ing to understand the socio-economic realities of the real world.
he must be really multi-talented.
This is how the allies broke the German enigma in World War 2.
//begin not-so-obscure geek reference //end not-so-obscure geek reference
I'm surprised that that counterpane is reporting this as though it were some new idea, it's not.
This is the problem with programs like PGP, they're so well made that they allow a user who has no idea how they work to use them. Unfortunately, that can lead to the simplest of attacks to work.
Cryptonomicon: Waterhouse breaks the cipher used by Shafthoe et al by ensuring that the word 'crocodile' was used in the ciphertext and using it as a crib. Same deal.
Does this mean that one has to consider yet another problem when implementing pgp in an application?
How can this even be avoided?
recompile.org
Sorta' Good Privacy.
And if somebody sends you an encrypted e-mail that is automatically decrypted by your mail client with whatever PGP implementation you happen to use, what do you suppose will happen if you FORWARD it? The recipient might actually be able to *gasp* READ IT!
Is this a problem with PGP or is it a problem with lusers?
We just got back from our weekend on the beach. We got a little crazy and started exchanging public encyption keys. Just hit reply if you would like to see the pictures.
Yes, given that human error is inevitable, it's important to design systems to limit the damage it can cause.
The aviation industry has been doing that for generations.
The aviation industry has also put enormous effort into educating pilots so that they make fewer errors. There are some errors that can't be contained or corrected, like flying into a mountain range or failing to check the fingerprint on a public key.
heh. looks like jon katz is at least good for something :-)
It hinges on being able to intercept a message, add some random data to the encrypted blocks containing its payload, and then for the recipient to decrypt it, and respond "hey Ed, what's with this garbled message you just sent me?" with that decrypted message quoted below. And, naturally, for the attacker to be able to intercept that response as well.
The basic idea of a "chosen cyphertext" attack is that if you can see a decryption of blocks you mangle, you can work backwards to get the plaintext in the unmangled blocks. You might consider this an attack on the user interface or the protocol rather than the algorithm. You should just never be quoting failed decryptions...
The talk about compression preventing the attack is not referring to the compression of cyphertext by you (i.e. ZIP'ing the payload before sending). That doesn't make a difference. It involves the DEFLATE compression the PGP/GPG software applies (and it generally does so only for uncompressed plaintext) both before and after encryption. You may already be realizing, randomizing compressed data will cause the decompression to fail with an error; that will make it much less likely for the user to disclose the failed decryption.
Fixing this is a good idea. Until it is fixed, if someone sends you garbage, don't reply, or if you do, don't quote their message in your reply. However, this is not the end of the world. The foundation is still sound, the attack is only useful on a per-message basis, and your keys are not affected by this strategy.
I do have a question for the crowd; it seems to me that this is an attack on "encrypted" messages, as opposed to "encrypted and signed" messages. I am assuming that the use of signatures will also foil this attack, but I would welcome comments from others on that subject.
Want to Know How to Cheat the GPL? Read On!
what a lame vunerability, its not the program which is flawed, its the human!
If "Kahil Jallad, Jonathan Katz, and Bruce Schneier" write a paper, the abbreviation is "Jallad et al". If Schneier is the LAST author in the list, it probably means he did very little except motivate the paper and help brainstorm.
In case anybody is actually confusing him with another Meestah Katz:
This should put the confusion to rest.
Correct me if I'm wrong:
The vunerability occurs when the target of the attack replies to the attacker's special message, quoting the decrypted version of the special message. Attacker analyzes the decryption -> uses that info to figure out original message -> takes over the world.
If the compression feature is enabled, however, the inflation process during decryption will PROBABLY fail because the attacker's special message will PROBABLY be meaningless under inflation and thus will PROBABLY translate into something that will not be useful when the clueless victim quotes it in their "hey what is this garbage" reply. In other words, the decompression is also a test for validity.
Now I am a crypto newbie, but shouldn't we get really nervous around the idea of using an algorithm designed for one thing (compression/decompression) for something completely different (validity checking)? Obviously PGP wasn't designed to use the compression algorithm for verification - but the paper seems to present the compressed-data fix with a sigh of relief. "Don't worry, there just happens to be this compression thing in there that makes this attack difficult." How difficult?
This is a well known attack, isn't it? I can remember giving a talk on how to use PGP and telling people to never:
a) Sign random garbage sent to them by anyone (and sent it back), or
b) Decrypt stuff and send it back.
I'll offer a second helping of props for that gold-toothed pgp-craxxor.
(INSERT EMBARASSING STORY HERE)
In the future, I would want to not be isolated from my friends in the Space Station.
I don't mean to discourage you, so if you are serious about implementing a secure portal, or just learning more about secure systems development, here are some of my favorites:
By Schneier:
Secrets and Lies -- on why crypto and technology arent enough.
Applied Cryptography -- Howto make good crypto
By Viega and McGraw: Building Secure Software -- The whole process of secure system development.
Good luck and good reading!
The preceding comments reflect the author's personal opinion and are public domain, unless explicitly stated otherwise.
Iamidiot corp announced today that a serious vulnerability in every email program available. Sending your credit card number to someone you dont know could have a serious effect on your account!
It's "et al.", al. is an abbr. for alldamofos, so et al. means "and all the mofos". Or is that mofus?
I'm confused. If party A sends an encrypted message to party B using B's public key, wouldn't party B reply to party A using party A's public key thereby making the garbled text unreadable to interceptor C?
-- Thou hast strayed far from the path of the Avatar.
From meridiam webster online:
sarcasm:...
2 a : a mode of satirical wit depending for its effect on bitter, caustic, and often ironic language that is usually directed against an individual b : the use or language of sarcasm
My other OS is the MCP!
How can "you should not quote a message to which you are replying" possibly be common sense? An algorithm that is vulnerable to a "social engineering" attack this simple should not be advertised as a secure algorithm. Encryption and signatures must become transparent and reliable if they are to be used by a large number of people.
I once participated in a similar discussion where I argued that headers like "to", "cc", and "date" should be included in the hash when signing a message, because people will send short messages such as "Today's meeting has been cancelled" whether you want them to or not. (I can't find that discussion now.) I was and still am shocked that the majority of participants in the discussion felt that the hole was the fault of the sender for not including enough context in the original signed message, or of the recipient for not noticing that the message lacked context and/or not suspecting that the e-mail might have been forwarded.
The shareholder is always right.
Ack. Yes. The only way to use signing to protect yourself would be to adopt a policy of only accepting valid signed messages, either in the software or in meatspace. And if you can enforce policies in meatspace, you might as well bypass the whole issue and adopt a policy of never disclosing the result of a decryption.
That's what I get for speaking off the cuff.
In the section "Resending the Message as a Receipt" on page 43 of Applied Cryptography:
If Bob checked the message for comprehensibility before [automatically] sending a receipt, he could avoid this security problem.
Just like any other good security scheme, there's nothing wrong with PGP, assuming it's used correctly.
...just my 2 gil.
See this post.
Darnit, I thought I'd configured my prefs to filter out everything by Jon Katz but this article still got through! It's a conspiracy to make me crazy!
.
- First they ignore you, then they laugh at you, then ???, then profit.
Damnit, I thought my filter on Slashdot was supposed to take his stuff out!
CowboyNeal! Your stupid filter isn't working!
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
It's called "Secrets and Lies". Also, see the article at The Atlantic.
Best Slashdot Co
Human or bad plumbing?
Duh?
I am the nightmare of nightmares.
And that proves it's not trolling how?
Because it wasn't trolling. Trolling would be much more straight forward. This is clearly meant to be funny.
Yes, but it still fails on data that's already compressed. According to the paper (as opposed to the abstract), both PGP and GPG disable compression on data that's already compressed, thus allowing the attack to succeed.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
I found out that if you e-mail out your passphrase and private key, and the e-mail gets intercepted by a malicious user, the malicious user might be able to use the e-mail to decode your PGP encoded messages...
This is good work, because it illustrates the real-world importance (i.e., feasibility) of "chosen-ciphertext attacks." PGP and GnuPG are vulnerable to these attacks *by design*. It's not a mathematics problem, or an implementation problem, or a standards problem, but simply a requirements problem. Nobody thought to use CCA-secure encryption in PGP et al. Nor is anyone really to blame: these kinds of attacks weren't even formalized, nor reasonable solutions proposed, until a few years ago. It requires specialized cryptosystems, built from the ground up, to offer provable security against such attacks.
Chosen-ciphertext attacks take advantage of some kind of "malleability" in the ciphertext. For example, say Eve intercepts some RSA ciphertext C of a message M from Alice to Bob. She wants to know M, but can't solve RSA. Well, she just multiplies C by, say, 3^e (mod n) [where e is the encryption exponent in the public key] and sends it off to Bob. Bob decrypts it and gets some junky-looking message M', and sends it along to Alice, saying "what gives?" Little does he know that M' = 3M, whence Eve intercepts M', divides by 3, and viola. In reality the situation is more complicated (RSA is used to encrypt session keys, not full messages), but the principle is the same.
Chosen-ciphertext-secure cryptosystems generally embed some "proof" that whoever generated the ciphertext "knows" the message to which it decrypts. For example, they use (idealized) hash functions, or encryption of the same message under two different keys. This way, Eve can't generate a valid ciphertext by modifying something Alice sent to Bob. If the proof doesn't check out, then Bob can tell that he may be under a chosen-ciphertext attack, and will throw away the ciphertext. In the previous scenario, Bob can't tell whether the ciphertext was built maliciously, or was just the encryption of some garbage that Alice legitimately sent. Here, he can.
I like this work because it moves chosen-ciphertext attacks from the realm of "paranoid academics modelling an unrealistically powerful adversary" to the "real world." Now people may think twice before chosing weaker crypto than is currently available.
It seems pretty unlikely for anyone to be unaware enough to go along with all the requirements for this to work.
But it occures to me that this could have been on interesting disinformation opportunity to scare less technically aware terrorists to avoid using PGP (who knows, they might try a less secure alternative that the Fed can decrypt).
The guy mentioned in the article wouldn't be the same Jon Katz who used to write rants^H^H^H^H^Heditorials for Slashdot, would it? I thought he died 3 years ago. Right about the time I discovered the Slashdot story filters.
Democracy is two wolves and a sheep voting on lunch.
Did you actually believe that it was an errata from Bruce Schneier? Obviously not, but by your "common practice" I should have put a smiley after that sentence also.
I don't believe in emotion icons, for centuries we have done without them yet communicated our ideas accurately. This "common practice" is just another step to dumbing down quality sites such as this.
I am not 6 years old and thus not amused by simple key combinations.
come on fhqwhgads