Undocumented Bypass in PGP Whole Disk Encryption

A non-mouse Coward writes "PGP Corporation's widely adopted Whole Disk Encryption product apparently has an encryption bypass feature that allows an encrypted drive to be accessed without the boot-up passphrase challenge dialog, leaving data in a vulnerable state if the drive is stolen when the bypass feature is enabled. The feature is also apparently not in the documentation that ships with the PGP product, nor the publicly available documentation on their website, but only mentioned briefly in the customer knowledge base. Jon Callas, CTO and CSO of PGP Corp., responded that this feature was required by unnamed customers and that competing products have similar functionality."

Huh?

[CoffeeIsMyGod]

"encryption bypass" ?

That basically turns the entire thing into a physiological magic trick.

closed source encryption software??!!

[hxnwix]

Come on, why would you even consider using such a thing?

Re:closed source encryption software??!!

[moderatorrater]

Whoever modded that post flamebait is completely ignorant of the standards in the security agency, that commonly used security tools be completely open so that people can point out security flaws. With regards to this article, it sounds like the bypass feature was able to be turned on or off, and if they had documented it and let people know, then they could have taken the necessary steps to use it or not, depending on whether you were their unnamed customer.

In other words, the parent's point is perfectly valid.

Re:closed source encryption software??!!

[dgatwood]

This is not uncommon, though the lack of documentation is.... Most such encryption products offer the ability to specify a master encryption key across an organization. The way that works is that your individual crypto key protects a copy of the drive-specific crypto key, which then protects the drive. The company you work for has a master crypto key which is also used to encrypt the drive-specific crypto key. (Usually the latter part is done with PK crypto so the employee can only encrypt contents with what he/she has, not decrypt it.) The purpose for such a "back door" is that if an employee leaves the company, you aren't screwed.

Is there a reason to worry that there might be a secret NSA/FBI/CIA/KGB/Russian Mafia/Rush Limbaugh/Gary Coleman back door? Depends on whether you trust the security vendor. That said, I don't trust security software unless I can see the source code. If you and others can't inspect the code, then for all you know, the security could be nothing more than a little startup app that asks for a password and checks it against a cleartext string in BIOS before performing ROT13 on any data read from the partition. Security software is one of the few places where closed source software simply can never be trusted, and if you do, you are not paranoid enough.

The only people to enable would know about it

And if anyone else can enable it, then they already have access to your computer anyway.

to put out some of the flames

[trybywrench]

from the response:

"We call it a passphrase bypass because that is what it is. It is a dangerous, but needed feature. If you run a business where you remotely manage computers, you need to remotely reboot them."

and

"You cannot enable the feature without cryptographic access to the volume. If you do not have it enabled, you are not affected, either. I think this is an important thing to remember. Anyone who can enable the feature can mount the volume. It is a feature for manageability, and that's often as important as security, because without manageability, you can't use a security feature."

makes pretty good sense to me

Re:to put out some of the flames

[mritunjai]

You're missing the point!

Yes, it is a nice(TM) feature and might be useful, but that is not the problem.

The problem is that the feature is fricking undocumented. There is absolutely no way to know it is there and how to look out for it. It also means that you can't just know how many of these backdoors are in there. Is it only the first undocumented backdoor ? How many more of the convenience features are in there by customer demand ? How do they affect me ?

When it comes to security software or hardware any and all undocumented features are BUGS! It's a principle, not a convenience!

Re:to put out some of the flames

[Rogerborg]

Calm down, Sparky. It's documented to their customers, i.e. the people who actually need to know about it.

And People Wonder Why Open Source!

[SerpentMage]

When it comes to encryption it is exactly for this reason why I use the "clunky", "hard to configure", "no GUI" Open Source!

I know what I have, and what I get, and what others cannot get... Not that I have anything to hide. Just that I like my privacy.

Re:And People Wonder Why Open Source!

[wikinerd]

I like my privacy.

Will be made illegal very soon :(

Re:And People Wonder Why Open Source!

[VENONA]

You sending people off to this reference would seem to indicate that you don't think anyone will read more than the first bits.
http://en.wikipedia.org/w/index.php?title=Data_Encryption_Standard&oldid=161828931, so the Wiki article is versioned.

I guess it all depends upon whether you think factoring large numbers is a hard problem, whether special cases might exist, whether huge amounts of investment dollars matter, etc. From there you make your own call about whether or not to go all elliptical (another bag of worms) or not, etc. In the end, you either trust the math, or you don't. Not counting valid points you brought up about whether you can trust your hardware, compiler, or binary blobs.

One point you didn't bring up is rubber-hose cryptanalysis, which has a proven track record dating back through several centuries. It might be a lot easier for an adversary to ignore your opinions on math, the openness of your compiler, etc. and just beat the living hell out of you. Or just toss you in a cell for contempt of court until you either give up a passphrase, or grow old enough to win a sympathy argument.

Nothing is certain. First you evaluate the *perceived* value of the secrets you're trying to protect. Until you've done that, you can't estimate the potential intensity of the attacks that might be brought to bear in order to obtain those secrets. And only then can you think in terms of effective countermeasures. Assuming there are any, which may not be the case where, for example, an individual is squaring off against the resources of a governmental organization.

What's the point?

What is the point of encrypting the drive if it's automatically decrypted? (ie. the key would be stored plaintext somewhere on the drive) I just can't figure that out.

I don't like PGP in any case. I never have because all their stuff is proprietary. S/MIME, ASN.1, etc are all full blown public standards that do the things PGP does except using open interoperable widely adapted standards.

Re:unnamed customers

[moderatorrater]

A backdoor that's documented, although poorly, that you can disable and requires access to the unencrypted disk beforehand? If it were the NSA they wouldn't have allowed it to be documented and you couldn't disable. However, I can think of several large corporations that would require something like this and would have contracts large enough to justify changing the product for. Paranoia doesn't seem to be justified in this case.

Re:Fine by me..

[idontgno]

They also just lost credibility.

Oh, I don't know. From the start, all the promised was Pretty Good Privacy. Not like Fort Knox, more like a combination padlock on an open-backed locker.

I find myself wishing more and more that Phil Zimmerman hadn't sold to NAI.

Does GPG have a full-disk mode? I think I could trust something with open source and reliable software freedom.

Re:Fine by me..

[illegalcortex]

Or someone or something on the machine has to convince PGP that the user has actively enabled it.

And that "someone or something" has to already know the encryption passphrase to do this. Please think these things through.

Re:Did anyone read the response?

What is it with everyone assuming NSA backdoor without spending the 2 seconds necessary to understand the simple concept at play here?

Some want to be able to boot their encrypted disks without having to enter a startup password. Its that simple. Yes its a stupid idea but some may have perfectly reasonable reasons for wanting it.

1. There is no backdoor.
2. The feature must be explicitly enabled.

Anyone claiming that a trojan can bypass it by setting the encryption password is wrong for two reasons:

1. If a trojan has that level of access to your system how do you intend to stop it from sending all of your data over the network, fetching your decryption key from memory structures or decrypting your whole disk without your knowledge while you sleep? If #1 is ever raised as a concern the game is already over and you have lost/0wned!

2. You need to know the decryption password to enable the feature.

Re:TrueCrypt and GPG

[king-manic]

As others have said, some parts of the U.S. government has become completely lawless. The government is requiring access and requiring that access be kept secret. The Bush administration has become a dictatorship. I think U.S. citizens should demand impeachment and that Cheney and the Decider be tried for treason. Why should the really big criminals be allowed to break the law?

I keep hearing that the 2nd amendment would help in this situation but I haven't noticed any militias storming the local branch of the federal administration. I think the best way to protect Democracy is probably through self-motivated knowledge seeking and political activism on how things work instead of guns, but who can argue with a MP5.

Random Example Bank or Retail would want this

[billstewart]

It looks very much like the kind of feature that a random bank or retail store would want - if the power goes out at a store, you want the system to be able to come back up and run the cash registers even though there's nobody technical enough to trust to press the "reboot" button much less connect a console and type in passwords.

If you RTFA, you'll see that it's a feature that you can only turn on if you've already got access to the disk, and PGP did it so it only works once.

Re:Fine by me..

[Dogtanian]

They shall now be treated as DISHONEST. Lets hope their unnamed big customer can afford to keep PGP in business as they lost mine. They can pay for my business PGP lost. Lets hope they are actually big enough. From everything that's been said, it seems that the worst that PGP can be accused of is not making clear the security implications of a feature that should have been better documented. And that's arguably quite bad- the worst case is a clueless user turning it on and feeling more protected than they should.

However, the feature isn't enabled by default. It requires cryptographic access *and* knowledge of its existence to turn it on. And if you already have cryptographic access, then the whole issue is academic.

You pompously declaring it "DISHONEST" in capital letters smacks of the typical random-geek's kneejerk first post on a messageboard thread. And FWIW, I don't know how much your oh-so-important business with them is worth anyway; I suspect that the other client probably *was* worth more. (Of course, it's quite plausible that the views of *many* smaller clients who disliked the feature would be a serious counterweight. However, if you're going to act like your *individual* view carries so much weight, expect scepticism).

PGP Does Open Source for Peer Review

[A+non-mouse+Coward]

But ... PGP has a peer review, open-source process. They're just a commercial product, too. [In other words, it violates the terms of service for you to compile their source code and use it without licensing it.]

unnamed customers???

[someone1234]

Hmm, the FBI paid them for having this backdoor?

1. if i have a real (paying) customer who needs this, i will supply them (and only them) with a customised version.
2. or i fully document the feature.

Jon *did* call it "dangerous"

[billstewart]

Yeah, it's a potentially dangerous feature - but some customers want it anyway, and at least PGP implemented it in a way that's less dangerous than it could have been. I'd have preferred to see some additional hardware involved, e.g. require input from a USB dongle or successful DHCP hit or something in addition to the disk-stored info, but it's hard to get that to work portably and reliably.

Re:Did anyone read the response?

[Ungrounded+Lightning]

The only threat is if someone where to enable this, not reboot, and then have the machine stolen.

I see what is possibly another. I may enable a hole of this form:

If someone gets access to the disk or its contents before the reboot, they can clone the state of the encryption software - which will do one "unlocked" reboot. Later (up to a point where the encryption key is changed) they can shut down the machine, reapply this state, and bring it up without the password, gaining access to data that has been added or updated since the state was cloned.

I see ways to prevent this sort of attack. But they'd have to be built in with blocking such an attack in mind - which means the feature and defense against its corruption would have to be taken into account in the architecture of the rest of the product. (They'd also greatly increase the risk of corrupting the encryption software in a way that prevents even the authorized user from referencing the disk in case of, for instance, power problems on startup or an ungraceful shutdown.)

Re:Why is he modded down?

This raises an interesting question; since the only way to achieve this functionality is to store the passphrase unencrypted (or encrypted with a calculatable key) on the hard disk, how do we know that it is erased adequately? Perhaps we should search the documentation to determine how it goes about erasing the data...

Re:You missed the point. What else are they hiding

[Chibi+Merrow]

With propretary software, there's no way to know. It could have any number of malicious or ill-conceived/insecure features. Why risk it?

Because a backdoor can just as easily be slipped into open source software, if not more easily since everyone's assuming "Oh it's open, someone else is looking for backdoors." On top of that, when things go south there's no one to point the finger at and no one to go to for support.

Look at all the security flaws that have popped up in Firefox over the past two years that could have led to a complete security breach on a user's machine. Most were probably just innocent mistakes, but what if they were intentional? How would we know? And who could we blame?

Putting a GPL license on something doesn't automatically make it pure and holy.

Re:Not turned off by default

[A+non-mouse+Coward]

Either you still don't understand the feature, or you are willfully misinterpreting it. Once again, you must know the passphrase in order to unlock the data on the disk. If you know the passphrase, you already have access to the data on the disk, with or without this feature. Hence it is NOT a backdoor. A backdoor would mean you didn't need to know the passphrase. Knowing the passphrase is the FRONT door.

Sheesh.

Hey idiot! Go back to watching your "Full House" re-runs ('sheesh').

I did not say that somebody who DOESN'T have a passphrase could turn the feature on. RTFA and realize that any USER (get it? Not "admin") can use this feature, enabling the bypass. Sure, today, (again, you near-sighted idiot) the only way to use this is through the command line, but this is a crypto operation, not a connection to your mom's website, meaning there is no record of who makes crypto operations. It might be a trojan (which yes, I get it, it's got your passphrase), but imagine this: a worm like the storm worm gets modified to (in addition to the myriad of things it does) capture users' passphrases, add the bypass, and modify the PGP Boot Guard to not remove the bypass ... ever. Then a random theft (get it? by somebody who doesn't know squat about PGP WDE) has access to data whilst admins think all is safe. What users will report that the nagging pre-boot auth dialog stopped working (as if they'd ever even notice)???

And of course, (again I'll get enjoyment for calling you an idiot) an admin who uses this feature but has an adversary pick up the device PRIOR to the reboot happening and the oh so magical PGP Boot Guard removing the bypass ... well, that suddenly is unauthorized access by somebody who doesn't know the passphrase and didn't social engineer a user into giving it up.

This guy gets it. Why can't you?

Now go say hi to Jesse and the twins for me.

Re:Fine by me..

[1u3hr]

I unplug your network cable and remove your hard drive, Plug your harddrive into my system..Get the data and recheck, the pre-boot authentication. Put the hard drive back into your computer. Turn it on. it continues the reboot process.. Except for the extra delay.....you never know I just got your data.

You forgot the part where you descend form the ceiling suspended by a wire harness and hang upside down while typing into the console.

With that degree of access, there are a million things you could do to gain access to sensitive data. (Eg, rummage throught the filing cabinet, paper is still king; install a physical keylogger dongle; etc, etc.) This would just be the icing on the cake; they're fucked already.