Slashdot Mirror
Schneier et al Report PGP Vulnerability
SpaceTaxi writes: "Researchers reported that they were able to intercept and modify a PGP encrypted message so that, IF it is sent back to the attacker, the original message could be read by the attacker." The paper comes from Kahil Jallad, Jonathan Katz, and Bruce Schneier. Here is the Yahoo! article.
If you had read the article, the program isn't really flawed either. This is a case in which a human can be fooled into sending decrypted garbage back to the villian, who can then do his decryption to get the original text of the message.
I'm not sure the software should be able to prevent this. Of course, it would be nice if it did, but this is just one of those common sense things that hopefully users of PGP will be smart enough to understand.
I could always reply to the sender of an encrypted message and say "could you send that to me unencrypted, I can get it to work." If they fell for it and sent it to me unencrypted, you could say the software failed, I suppose, but really it's the human's fault.
My Karma was at 49, then they switched to words. All that work for nothing!
Nonetheless, an update to the OpenPGP standard was to be released Monday to coincide with the announcement of the flaw. Many developers already have begun to write software fixes, Callas said.
looks like it might be a little more then something just in PGP, if they are releasing an update to the
openPGP standard.
altho i suspect PGP is the "most" vulenerable to this , It would be interesting to see what other openPGP software is really effected.
Nex6
Actually, it looks like it affects the standard, but implementations that deviate from the standard (i.e., GnuPG in some respects) may be less vulnerable.
According to the Columbia University research paper (or at least one of them), the flaw does effect the OpenPGP standard, and specifically, they successfully exploited the flaw in GnuPG as well when compression was not used. The authors note that the flaw even exists when compression is employed, but that GnuPG deviates enough from the OpenPGP compression standards that compressed GnuPG messages are relatively safe. Apparently GnuPG employes a non-standards-required message integrity check that foils the attack.
The abstract of the paper suggests that the attacks largely fail when the data is compressed before encryption. From the GNU Privacy Guard manpage of version 1.0.7, the default is to use RFC1950 compression (which is ZLIB compressed data format) and the default compression level of the zlib library (normally 6). Note that all this applies to GNU Privacy Guard 1.0.7. According to the same manpage, the NAI PGP implementation uses RFC1951 compression, which is the DEFLATE compressed data format.
Banu
Yeah, this exploit falls under the 'social engineering' side more than anything. Who on earth would use PGP for their communications, but have no hesitations replying to suspicious email from unknown people. Even if one were to reply, one shouldn't include the body of the mail in question out of sheer para^H^H^H^Hcommon sense!
"Old man yells at systemd"
Imagine a user who has configured his software to automatically decrypt any encrypted e-mails he receives.
An adversary intercepts an encrypted message C sent to the user and wants to determine the contents P of this message.
To do so, the adversary creates some new C and sends it to the user; this message is then automatically decrypted by the user s computer and the user is presented with the corresponding message P
To the user, P appears to be garbled; the user therefore replies to the adversary with, for example, What were you trying to send me? , but also quotes the garbled message P
Thus, the user himself unwittingly acts as a decryption oracle for the adversary.
PGP and GnuPG use both symmetric and asymetric encryption algorithms to encrypt data. First a random key (S) is generated and the data (C) encrypted with it (giving you C'). The symetric key is then encrypted using the asymetric key (public key) giving you S'. When the sessage is sent the encrypted key S' is sent along with the data.
What appears to be happening is that Mr Schneier and buddies have figured out a way to create a data part C', so that when it is decrypted, the orinal symmetric key (S) can be obtained from it.
This means that :
Even if someone tricks you into decrypting a message for him, then that attack will only reveal the contents of that particilar message. (your private key, and all other encrypted data, is still safe)
PGP has not be 'broken', nobody can read you encrypted emails without your help.
This is not the end of PGP/GnuPG.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
As the article notes, this isn't a new attack; Schneir and Katz had a paper on the general principle two years ago; it has been up on the Counterpane Labs site for some time now.
BTW, you don't get S, the session key. You get a new message, P which is related to M in a manner you chose.
Easy example (not real life): Suppose the message C is encrypted using any algorithm in Electronic Code Book mode. To sucker the user into decrypting that, I send him a message C' which includes all the ciphertext blocks which were in the original message C (but not in the same order). He decrypts that (giving P) and quotes it back to me as a garbled message. I now build a codebook with P and C', and use that to decrypt C.
If another mode is used, as in PGP, a more complicated method of constructing C' is required (and is given in the paper), but it still works.
This is how the allies broke the German enigma in World War 2.
//begin not-so-obscure geek reference //end not-so-obscure geek reference
I'm surprised that that counterpane is reporting this as though it were some new idea, it's not.
This is the problem with programs like PGP, they're so well made that they allow a user who has no idea how they work to use them. Unfortunately, that can lead to the simplest of attacks to work.
Cryptonomicon: Waterhouse breaks the cipher used by Shafthoe et al by ensuring that the word 'crocodile' was used in the ciphertext and using it as a crib. Same deal.
If "Kahil Jallad, Jonathan Katz, and Bruce Schneier" write a paper, the abbreviation is "Jallad et al". If Schneier is the LAST author in the list, it probably means he did very little except motivate the paper and help brainstorm.
In case anybody is actually confusing him with another Meestah Katz:
This should put the confusion to rest.
I was wrong about signing. It is indeed performed as Encrypt(Sign(Message)). Furthermore, my suggestion that D(C') would be garbled so as not to be recognizable as a signed message was stupid. OpenPGP requires the decrypted message to be a valid OpenPGP message. The paper clearly pointed out the attacker must not garble the first block of the encrypted message, which includes the header indicating what type of OpenPGP message it is. Thus, a signed message would still be marked as a signed message, and since the part after the first block would be garbled, it would be definitely cause a major warning/error.
This is good work, because it illustrates the real-world importance (i.e., feasibility) of "chosen-ciphertext attacks." PGP and GnuPG are vulnerable to these attacks *by design*. It's not a mathematics problem, or an implementation problem, or a standards problem, but simply a requirements problem. Nobody thought to use CCA-secure encryption in PGP et al. Nor is anyone really to blame: these kinds of attacks weren't even formalized, nor reasonable solutions proposed, until a few years ago. It requires specialized cryptosystems, built from the ground up, to offer provable security against such attacks.
Chosen-ciphertext attacks take advantage of some kind of "malleability" in the ciphertext. For example, say Eve intercepts some RSA ciphertext C of a message M from Alice to Bob. She wants to know M, but can't solve RSA. Well, she just multiplies C by, say, 3^e (mod n) [where e is the encryption exponent in the public key] and sends it off to Bob. Bob decrypts it and gets some junky-looking message M', and sends it along to Alice, saying "what gives?" Little does he know that M' = 3M, whence Eve intercepts M', divides by 3, and viola. In reality the situation is more complicated (RSA is used to encrypt session keys, not full messages), but the principle is the same.
Chosen-ciphertext-secure cryptosystems generally embed some "proof" that whoever generated the ciphertext "knows" the message to which it decrypts. For example, they use (idealized) hash functions, or encryption of the same message under two different keys. This way, Eve can't generate a valid ciphertext by modifying something Alice sent to Bob. If the proof doesn't check out, then Bob can tell that he may be under a chosen-ciphertext attack, and will throw away the ciphertext. In the previous scenario, Bob can't tell whether the ciphertext was built maliciously, or was just the encryption of some garbage that Alice legitimately sent. Here, he can.
I like this work because it moves chosen-ciphertext attacks from the realm of "paranoid academics modelling an unrealistically powerful adversary" to the "real world." Now people may think twice before chosing weaker crypto than is currently available.