Slashdot Mirror
Security Flaw Discovered in GPG
WeLikeRoy writes "A serious problem in the use of GPG to verify digital signatures has been discovered, which also affects the use of gpg in email. It is possible for an attacker to take any signed message and inject extra arbitrary data without affecting the signed status of the message. Depending on how gpg is invoked, it may be possible to output just faked data as several variants of this attack have been discovered. All versions of gnupg prior to 1.4.2.2 are affected, and it is thus recommended to update GnuPG as soon as possible to version 1.4.2.2."
A serious security issue in GPG! We are all doomed!
;)
what is GPG?
Yeah, I will go RTFA. However, summaries that assume you are familiar with an acronym are rude, IMHO
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Its a good thing I don't use GPG to sign my emails. Oh wait.
For all the tinfoil hat people out there, I propose that the bug may have been placed intentionally, since GnuPG is, in fact, an opensource community project. So instead of taking hours to obtain a GPG key, the NSA could spend seconds and impersonate an otherwise [strike]paranoid[/strike] privacy-oriented person in typically confidential memos. Maybe a full accounting as to when the bug got there, how it got there, who put it there and the chances of it being purely human error are to be demanded? After all, some people (including myself) have invested some very expensive stakes in the security of GnuPG over the years.
HopeSeekr of xMule
Promote freedom; fight fascism.
that GPG user lives downstairs i'll just tell him there is a problem
Since I use GnuPG to sign my e-mails (not that I believe anyone actually verifies the signatures, nor do I send any e-mails for which it would really matter all that much -- it just seems like good practice), I ran to check my version of GnuPG as soon as I saw the /. blurb.
1.4.2-2
Hmm. The -2 means that this is the second packaging of the 1.4.2 release. So it's been out for a while. Checking the changelog, I see that 1.4.2-1 was released 24 Sep 2005. My system would have gotten the update within a couple of days of that release date, so I got the fix nearly six months *before* the vulnerability announcement.
Can't complain about that!
Is this flaw in encoding or decoding? IOW, will the new version of GPG be able to sniff out modified signatures, or are all signatures made by old versions modifiable w/ no recourse?
Don't forget the RSA key that had the words "NSA key" in the debug symbols that first made it into windows 98 and stayed there until WinXP SP2!! I feel these things are probably very prevalent; it's already common knowledge every U.S. ISP is pwned by their black boxes, usually also loaned to the FBI and then false-flagged as 'carnivore' (in reality it's an outcropping of ECHELON...err, now ADVISE (see my slashdotted story...)
Promote freedom; fight fascism.
So this is a simple mistake made by GPG, in an effort to coexist well with email and the like.
In other words, GPG looks at an email message and sees headers and the like. Of course, the headers were not signed (just the message), so GPG skips them and when it encounters the signed message, it begins to verify the signature.
So, if you are an attacker, you insert something before or after the signed message, and when GPG goes to verify it, the signed message passes, but GPG nicely prints out the whole message for you, instead of just the signed part. Oops, not a big deal, encryption isn't broken, in fact this is just an application bug.
Sound like a movie rating.
She thought she could get rid of me with that rejection via email. Now I've got reasonable doubt about her feelings. Until I get that court order, of course.
End transmission.
remember how many versions of OpenSSH we have? And why do you think new versions were released? And why should GPG be any different?
The parent AC is worng.
1.4.2-2 is not equal to 1.4.2.2, and it is older than 1.4.2.2
the -2 is the 2nd Debian modification of 1.4.2
Another good recommendation is to diversify your crypto. Sign/encrypt your data with multiple different crypto algorithms in the same message. It's like network redundancy: the odds of both methods failing at once are equal to the product of the low, but significant, probability of either failing. A single failure doesn't ever compromise your data, and buys time to get a new second method that works.
Of course, sent messages can't be recovered for reprotection with the new second method. And eventually the other original method will be compromised, so the attacker can use the appropriate methods for each. But at least you've improved your security. Probably more than the next guy. Next lesson: when the bear is chasing y'all, you don't have to be the fastest; just not the slowest.
--
make install -not war
mod parent
Maybe Apple will finally appoint a Security Czar and take care of these flaws and all you Apple Fanboys....oh wait...
GPG stands for Gnu Privacy Guard. It's the Free(tm) replacement for PGP (Pretty Good Privacy) which was originally developed by RSA. Between them, they are one of the standards for encryption and verification of sensitive data (including email).
As opposed to X509/SSL which seems to be designed for centralized trusted certificate issuers, GPG/PGP depend on a (decentralized) web of trust -- You decide which signatures you wish to trust, and then those signatures can be used to signify who they trust... If you have enough trust in the signature web for a public key you have for someone, then it is presumed that the key is trustable.
GPG seems to be supported by people who include some serious heavyweights in the encryption community.
IANASE (I am not a security expert), so any corrections to this explanation would be much appreciated)
OS Software is like love: The best way to make it grow is to give it away.
So a bug was discovered in the older versions of an open source software and if you have a recent update, you are not affected? Really, stuff that matters, I am shocked and surprised!
Actually, 1.4.2-2 is the second *Debian* release of 1.4.2, probably to fix packaging bugs or minor bugs in the software that weren't yet available in an upstream release. 1.4.2-2 != 1.4.2.2. Debian users still need to upgrade when a new package is available.
Xfce: Lighter than some, heavier than others. Just right.
I tried the Windows version of GNUPG and it refuses to recognize any public or private keys that it generates or that I imported from PGP. I counted on using it after switching to Thunderbird, but GNUPG broke and the updates do not seem to fix it. Maybe it has issues with XP SP2, NTFS or something?
Ah well, maybe I can install it on my Linux machine?
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
It's not the kind of bug that people would put in intentionally; it's more a conceptual error, made when trying to retrofit digital signatures into an email system not designed for it.
As to where it came from, you can check the version control log files; it's all there.
Anyone else remember hearing about this at Defcon last year?
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
That information should never have been released! The negative press will impact sales. It would have been better to pretend the bug never existed.
Oh, it isn't corporate product, nevermind.
did anybody cross-check the authenticity of that warning? I wont accept that until I verify its GPG key :)
The bug allows someone to take a signed GPG message, stick in their own unsigned message in a certain way, and GPG will show you the combined message or even just the new message, but tell you that it is signed by the person who signed the original message.
If you read the message using the new GPG 1.4.2.2 it will correctly not accept the hacked message. So if you have any question about signed mail you received, you can check it again after upgrading GPG.
The bug only affects embedded signatures, such as in email messages using inline signatures or signed encrypted email. I think that excludes PGP/MIME signed unencrypted email, which is a common format for signed mail and would be a form of detached signature.
The bug does not affect "detached signatures", which are the kind that are used to verify software downloads, which means it could not have been used to hack yum, apt-get, etc.
All in all, not a big security flaw unless someone takes a signed email that you sent them, forges a GPG signed request to your domain registrar to transfer your million dollar domain name to them, and your registrar hasn't yet updated to GPG 1.4.2.2. Whoops -- if you upgrade GPG right now, it wouldn't help in that scenario.
Shouldn't this read Security Flaw Discovered for users of GPG ?
I'm guessing, but 95% of computing world doesn't use GPG. And isn't this a "Man In the Middle" attack? How many routers have been compromised that I need to worry about this?
Are my GPG encrypted messages to the kremlin, CIA, or FBI less secure? Are my "lovey-dovey, are you naked" messages to my wife compromised? Thats about all I use GPG for.
Enjoy.
It's just the normal noises in here.
I'm tired of their insecure crap! Oh wait, its GNU open source? In that case, you lazy bastard end users should have fixed it yourself!
I updated my compiler a while back and it actually claims to be 4.0.3 ,it should have been 4.0.2-1
I'd say at least since at least May, 2004. This is some pretty old news. Still, I hadn't been aware of it, so it's nice to know. You know, in case I ever actually have a need to digitally sign an email.
If you can read this sig, you're too close.
"For instance, the use of double encryption does not provide the expected increase in security [MH81] when compared with the increased implementation requirements, and it cannot be recommended as a good alternative. Instead, triple-encryption is the point at which multiple encryption gives substantial improvements in security."
From http://www.x5.net/faqs/crypto/q85.html
Nevermind. That was a much older (and from what I can tell, much more serious) bug.
If you can read this sig, you're too close.
Better assign a security Czar!
"There is more worth loving than we have strength to love." - Brian Jay Stanley
No, you are a nonymous coward, and you are not his mother.
He had a mother!
emt 377 emt 4
Does it make the e-mails less safe? No. First, the flaw is for adding material, not reading it. Second, it's for signing, not encryption per-se. It DOES mean that you cannot trust e-mail for commercially sensitive transactions, but nobody should be trusting e-mail for that anyway.
Does it affect routers or the infrastructure of the Internet? Only insofar as domain registrars never validate change requests properly. A carefully-crafted attack could use this to append a change-of-IP request to some ISP's routine request to a registrar, which means an attacker could create a phony DNS server for the express purpose of polluting the DNS namespace. If the registrar uses GPG's validation as proof of a legit request (and some are quite happy with a fax with no proof of origin at all) then it could have an impact.
Is this a likely scenario? No. The problem with lack of validation has been around for decades and has been used by cybersquatters and porn merchants, but never (as far as I know) for Black Hat activities. The lack of any significant effort has never been due to security. My best guess is that it's due to skript kiddies being clueless. Which is just as well. If demonstrable and simple exploits aren't being used to cause catastrophic levels of mayhem, then I think we're pretty safe against this somewhat more sophisticated vulnerability requiring (as you coorectly point out) a MitM attack.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
...as it is already designed to tell you precisely what part of the e-mail is signed. Is there a more convenient way to handle GPG for e-mail than enigmail anyway?
Insert self-referential sig here.
With the advent of VoIP, crypto chips that you can buy off the shelf, etc, it would neither be difficult nor unreasonable for businesses to support extremely secure lines of communication. Five, ten, years ago, it wasn't realistic to expect much in the way of particularly strong protection of communications. These days, the reverse holds true. It is no longer reasonable to expect businesses to maintain insecure lines of communication, simply because they always have done.
"Absolute security" is one of those terms that gets banded about by cryptoraphy experts but it has no clear definition. It's easy to show that an undefined goal can't be reached!
Let us start with a reasonable definition of "absolute security": The message, if intercepted, cannot be brute-forced, as it is impossible to distinguish between valid and invalid decryption attempts, AND the valid key cannot be intercepted or stolen, AND the message cannot be tampered with, AND the message must not be repudiatable.
Part 1 is easy to achieve. You use a strong compression algorithm to essentially pre-randomize the data. Part 2 uses a stored copy of a natural, totally random source as the key for a One Time Pad to encrypt the data. Part 3 is to use a public-key encryption system with partial decryption keys (ie: no one person has enough of a key to decrypt the message, but perhaps two together or three together would). The encryption mode (how the key shifts between blocks) needs to be authenticating and validating. NIST have specifications for such modes.
Now, if attacker A breaks into a person's house and lifts their partial key and the OTP, they can do what? The OTP will apply perfectly well to a corrupt message, so every possible attempt to break the public key will have equal likelihood of being correct, making it useless.
Is this far too much for a typical business? Sure. The question I answered was not whether it would be practical, but whether it would be possible. I believe I have demonstrated here that it would be possible, although I can think of no way to make it practical.
What, then, is practical? STU phones, or a reasonable facsimilie using a stream cipher and VoIP, along with virtually private messaging. ie: where some combination of strong authentication, strong validation, strong encryption, and VPN tunneling, is used to create an enviornment in which unauthorized individuals would find it impractical to identify the type of communication and would not likely be able to determine the contents within the meaningful lifetime of said contents.
If you can meet these criteria - and it shouldn't be hard - then security may not be "perfect" in an absolute sense, but the liklihood of an intercept or a false message would be so close to zero in the next 20-30 years that unless you're dealing with national secrets, this would give you as close to perfect security as you need.
NB: Since breaking into machines and installing keyloggers and event loggers is possible, I'm assuming both primary parties are using systems that are as hardened against direct attack as OpenBSD, and would meet a significant portion of the old Orange Book B3 standard.
Red Hat Enterprise 5 is being evaluated for the following: EAL 4 Augmented with ALC_FLR.3, Controlled Access Protection Profile (CAPP) Version 1.d, Labeled Security Protection Profile (LSPP) Version 1.b, Role Based Access Control Protection Profile (RBACPP) Version 1.0. There are probably hardening patches out there - not to mention some excellent crypto hardware - that can improve the results further. Two systems like that, at the end points, with the best encryption methods in public use, is simply not going to be on anyone's list of targets, which means that it is de-facto absolutely secure, even if it is not literally so.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Quote from parent: "Unfortunately, once it's verified, it will output the whole message, leading the user to believe that the whole message was signed."
....
;o7fp 2;4j2;o8ps98f j3;r
....
Well, then a little GOOD social engineering could resolve this, right? Some prepend and append markups could help identify what was injected.
Example: (Pre-encrypted)
Begin Encrypted Body HERE:
We snatched the subject at building 232. Skyjack arrived at the field and extracted subject at 2200 hours, and headed 225 True north along evac corridor. Diverted to SSW 45 seconds later, avoiding
End Encrypted Body HERE.
=======
Now, the injected part might be:
You are discouraged from complying with the contents of this message.
fasd;
Begin Encrypted Body HERE:
We snatched the subject at building 232. Skyjack arrived at the field and extracted subject at 2200 hours, and headed 225 True north along evac corridor. Diverted to SSW 45 seconds later, avoiding
End Encrypted Body HERE.
485wiapeow8r-934-5834u
==========
OK, so is this good enough? Everyone? Anyone?
Alternatively, the message could be sent in duplicate, via another transmission method, or the first decrypt could contain the raw message, but the confirmation (if speed is not of the essence) could be in a plain text message with some of the NON-CLASSIFIED text in the same sequence. Having received it from another secure channel, the authentication could be had by comparing the sensitive with the non-sensitive "sanitized" version. Besides, how would Uncle Sam know when and what the contents of the out-of-channel authentication message be? You could be sending a red herring in the encrypted message JUST to see if they're tampering with your traffic...
Now, if you want something to REALLY worry about... consider your using Amarok to receive songs. How do you KNOW that the packets entering your machine are SAFE. So much CPU processing is going on with your KDE or Gnome GUI and any music scopes and rotating desktops that you really can't KNOW WHAT the hell is in your machine even if you real-time scan or spot-check. Unless you've got a quantum computer or a brain-machine interface with your brain able to process terabytes to the terabyte power, (and enough hours in the day) how will you KNOW your machine isn't back-door attacked by NSA or someone smarter than you. Even if you run Tripwire and other stuff, do you REALY check ALL those checksums. Don't know bout U, but I change enough files all day to just not CARE anymore. Well, except to hope no one's PLANTING stuff or defacing my files.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
what is GPG?
You are a disgrace to nerds!
Better: Everyone uses HTML mail, so:
....
Begin prepended text HERE:
<!--
End prepended text HERE.
Begin Encrypted Body HERE:
We snatched the subject at building 232. Skyjack arrived at the field and extracted subject at 2200 hours, and headed 225 True north along evac corridor. Diverted to SSW 45 seconds later, avoiding
End Encrypted Body HERE.
Begin appended text HERE:
--> We're caught! Destroy the evidence... and kill Jack, that damned traitor!
End prepended text HERE.
http://outcampaign.org/
Geez... when are people gonna realize that software using digital signatures sucks? Grab Secured eMail instead and live life easier ;)
Ok everyone, here's the deal. From now on, if you get a signed message from your friend that starts with, "How's the weather out there?" and ends with "P.S. Send me one million dollars and all your credit card numbers." *Don't do it*.
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
Please note that when you update, your version number may not change. Depending on what OS you use and who you get your updates from, you might get an old version with back-ported fixes. If your version number is not the one mentioned here, you need to check with your OS vendor. Most will have a Web site listing security updates and what vulnerabilities they address.
Dear Alice,
Have you heard? GPG has a bug in it that lets people append data to a signed email message! What are we going to do to stop Malory from attacking us?
Sincerely,
Bob
PS. Jus7 k!dd!ng! 1ts n0t 7ru3! I'm t@lk!ng thr0ugh my @$$!! LOLOLOLOLOL
This applies to a very specific case where a message is constructed by hand with multiple data packets and a single signature packet, so:
I say "might" as in all of these cases it depends on how GnuPG is called.
I always have wondered why the spammers aren't using the database of PGP/GPG keys to send spam too. Maybe they are, but obviously aren't willing to sign it for computational reasons, even with a phony key.
Get rid of everything Micro and Soft: Buy Viagra and/or Linux
and I wish to subscribe to your newsletter...
I agree. Is there a site anywhere to replace the old slashdot we know and love?