Slashdot Mirror
Undocumented Bypass in PGP Whole Disk Encryption
A non-mouse Coward writes "PGP Corporation's widely adopted Whole Disk Encryption product apparently has an encryption bypass feature that allows an encrypted drive to be accessed without the boot-up passphrase challenge dialog, leaving data in a vulnerable state if the drive is stolen when the bypass feature is enabled. The feature is also apparently not in the documentation that ships with the PGP product, nor the publicly available documentation on their website, but only mentioned briefly in the customer knowledge base. Jon Callas, CTO and CSO of PGP Corp., responded that this feature was required by unnamed customers and that competing products have similar functionality."
Maybe they were unnamed because there is No Such Agency?
I don't need large brains to have a good time.
"encryption bypass" ?
That basically turns the entire thing into a physiological magic trick.
Come on, why would you even consider using such a thing?
And if anyone else can enable it, then they already have access to your computer anyway.
Seriously, customers require this so IT staff can do remote support and reboot the machine remotely. It is only enabled for one reboot, and you must have cryptographic access to enable this feature. The only threat is if someone where to enable this, not reboot, and then have the machine stolen.
Why does crap like this make it to the front page of Slashdot?
ÕÕ
from the response:
"We call it a passphrase bypass because that is what it is. It is a dangerous, but needed feature. If you run a business where you remotely manage computers, you need to remotely reboot them."
and
"You cannot enable the feature without cryptographic access to the volume. If you do not have it enabled, you are not affected, either. I think this is an important thing to remember. Anyone who can enable the feature can mount the volume. It is a feature for manageability, and that's often as important as security, because without manageability, you can't use a security feature."
makes pretty good sense to me
I came to the datacenter drunk with a fake ID, don't you want to be just like me?
When it comes to encryption it is exactly for this reason why I use the "clunky", "hard to configure", "no GUI" Open Source!
I know what I have, and what I get, and what others cannot get... Not that I have anything to hide. Just that I like my privacy.
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
"We are not the only maNufacturer to have Such a feature -- All the major people do, because our customers require it of us.
Once upon a hard drive bare
I pinged a host that wasn't there
It wasn't there again today
The host resolves to NSA.
- Burma Shave
If you RTFA you'd see this feature is needed for anyone who remotely-boots their encrypted drive. The feature is not a backdoor - it has to be enabled by someone with cryptographic access to the drive, and it only works once per setting - reboot, and it's disabled. The only way this could be a security issue is if it's enabled, and before the drive boots up again, the drive is stolen. Features like this are needed, as without them, the drive is useless for remote management, and people won't use encryption, which is obviously far more insecure than having this feature and using it correctly.
RTFA or at least TFComments (though that might be difficult in your rush to be first post). As many have pointed out, to turn on the feature, you have to already get past the encryption. It's not a "backdoor" in any sense. Someone who doesn't already know the passphrase can't use it to get access to the drive. Plus, this feature is turned off by default so the user has to actively enable it. You enter the passphrase, reboot the computer and on THAT boot, it doesn't ask you for a passphrase. Next reboot it does.
This actually DOES sound like a very good feature and I would hope other products have it, too. Wish the editors would RTFA, too...
Didn't read the article -- didn't see that you can only bypass it by enabling it for the next reboot after which it returns to normal.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
They also just lost credibility.
Oh, I don't know. From the start, all the promised was Pretty Good Privacy. Not like Fort Knox, more like a combination padlock on an open-backed locker.
I find myself wishing more and more that Phil Zimmerman hadn't sold to NAI.
Does GPG have a full-disk mode? I think I could trust something with open source and reliable software freedom.
Welcome to the Panopticon. Used to be a prison, now it's your home.
There is an inherent flaw with many of the commercial laptop full-disk encryption solutions out there. I have the most experience with Utimaco's Safeguard Easy, but I know many of the other big players have the same fault -
The software has a feature called "Pre-boot Authentication", by which the encryption software is loaded after the bios, but before the (generally Windows) operating system. The user's password is used to generate the decryption key, so theorhetically not even the NSA could decrypt the laptop without the user's password.
Here's the flaw - the software has a checkbox to disable Pre-boot authentication. What this does is generate a default user with a random password, and then store this random password obfuscated but in clear-text in the same disk area decryption software. When you talk to the sales-people, they sell this as a feature, in fact about half of Utimaco's customers (so I'm told) run it in this mode because the encryption becomes transparent and it is much less intrusive on the user. (Basically the disk is automatically decrypted each time the laptop is booted, but you have to have a valid Windows login to get in.) Buried in the help documentation are warnings "For security reasons, you should Never disable pre-boot authentication". So the engineers and the company know the weakness of disabling pre-boot authentication, but they don't tell their customers when they sell the software.
Today it seems to break into these laptops with pre-boot authentication disabled you would need somewhat sophisticated tools and techniques, basically the same tools and techniques people commonly use to "crack" commercial software today. But I'm guessing that it won't be very long before someone takes the time to build this crack and releases it, rendering the laptop encryption useless to anyone who can Google for "Utimaco Crack", etc. Basically all the crack would need to do is grab the default user's password off the disk and use or duplicate the decryption algorithms that are also in clear-text on the disk.
I've talked to a number of IT security folks, and basically it seems like most people trust the sales folks and don't understand that its basically impossible to have strong encryption without having the decryption key stored off the disk (like on a smart card, or in the brain of the user.)
well, read the other replies. apparantly it is a feature you have to enable yourself, which is useful in some cases, and is no security danger (unless you do stupid things with it). the entire story seems to be a non-issue... it's no real backdoor, just one you can enable for certain uses.
With that understanding, I am developing a new data security system using heretofore unrealized technology, and plan to bring it to market in the near future: look for products from BHS in stores during the month of No-never.
This message brought to you by the unique folks at BHS. Black Hole Systems: we are defined by our singularity!
Sometimes I have to say to hell with it and just eat my jellybeans.
As others have said, some parts of the U.S. government has become completely lawless. The government is requiring access and requiring that access be kept secret. The Bush administration has become a dictatorship. I think U.S. citizens should demand impeachment and that Cheney and the Decider be tried for treason. Why should the really big criminals be allowed to break the law?
I keep hearing that the 2nd amendment would help in this situation but I haven't noticed any militias storming the local branch of the federal administration. I think the best way to protect Democracy is probably through self-motivated knowledge seeking and political activism on how things work instead of guns, but who can argue with a MP5.
"There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy."
Because he failed to read the article correctly.
There isn't a backdoor. If you encrypt your hard drive, then lose it, nobody can read it.
If on the other hand, if you've encrypted your boot disk, and you want to remotely reboot your machine, you're going to need someway to feed the password to it before it can bring up the OS (and the networking layer).
This feature allows you to store a password for 1 time use. Then you reboot the machine, and when it comes up, it reads the password and erases it.
It's a useful feature. Doesn't effect you if you don't use it. Even if you do use it, you'd have to set the password then forget to reboot for it to be a problem.
Basically this whole story is a non-issue. The moderation on the grandparent is a reflection of his failure to reason through this.
# (/.);;
- : float -> float -> float =
So which full disk encryption software does Slashdot recommend? Preferably FOSS and available for *Nix and Windows.
If you RTFA, you'll see that it's a feature that you can only turn on if you've already got access to the disk, and PGP did it so it only works once.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
How much do you want to bet that "unnamed customers" are synonymous with "various federal and state police agencies, DOD, and NSA"?
Takers?
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
However, the feature isn't enabled by default. It requires cryptographic access *and* knowledge of its existence to turn it on. And if you already have cryptographic access, then the whole issue is academic.
You pompously declaring it "DISHONEST" in capital letters smacks of the typical random-geek's kneejerk first post on a messageboard thread. And FWIW, I don't know how much your oh-so-important business with them is worth anyway; I suspect that the other client probably *was* worth more. (Of course, it's quite plausible that the views of *many* smaller clients who disliked the feature would be a serious counterweight. However, if you're going to act like your *individual* view carries so much weight, expect scepticism).
"Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
The GPG program that you download doesn't do full-disk encryption; it's pretty purely a file/stream encryption program. I suppose you could use it for disk encryption, by streaming data through it on its way to and from a device, but that's not how it's normally used.
There is/was a program around that used GPG to do FDE, called GPGDisk. I'm not sure whether it used your installed copy of GPG to do the heavy lifting, or if it just included the same code, or worked using the same algorithms but had its own totally separate crypto engine. It was reasonably popular for a while, but I think a lot of people who were using it have now switched to TrueCrypt.
However, GPGDisk did offer some unique features, like the ability to encrypt a disk using a GPG key, and some fairly fine-grained access controls that you could set up for multiple users (IIRC). Every once in a while someone will mention it on the comments on Bruce Schneier's blog, so apparently it's still getting some use. But it doesn't offer some of the neater features that TrueCrypt does, like plausible deniability or containers-in-containers, I don't believe.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
But ... PGP has a peer review, open-source process. They're just a commercial product, too. [In other words, it violates the terms of service for you to compile their source code and use it without licensing it.]
libertarian: (n) socially liberal, financially conservative; neither left, nor right.
I don't understand that argument. Why is it necessary to have two passwords? An organization must have a database of user passwords, correct? A user may call and say he lost his password.
The only reasons I can imagine for having two passwords are convenience for IT, when they aren't fully automated, and secret government surveillance.
An organization with 1,000 users must manage 1,000 passwords, anyway.
What happens in an organization when a member of the IT staff leaves? The IT access special password, if there is one, needs to be changed on 1,000 computers.
It seems to me that there may be far better ways to manage that situation rather than having a global password.
Hmm, the FBI paid them for having this backdoor?
1. if i have a real (paying) customer who needs this, i will supply them (and only them) with a customised version.
2. or i fully document the feature.
Patents Drive Free Software as Hurricanes Drive Construction Industry
Yeah, it's a potentially dangerous feature - but some customers want it anyway, and at least PGP implemented it in a way that's less dangerous than it could have been. I'd have preferred to see some additional hardware involved, e.g. require input from a USB dongle or successful DHCP hit or something in addition to the disk-stored info, but it's hard to get that to work portably and reliably.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Either you still don't understand the feature, or you are willfully misinterpreting it. Once again, you must know the passphrase in order to unlock the data on the disk. If you know the passphrase, you already have access to the data on the disk, with or without this feature. Hence it is NOT a backdoor. A backdoor would mean you didn't need to know the passphrase. Knowing the passphrase is the FRONT door.
Sheesh.
What, only one referance to Phil Zimmermann? One of the main reasons Philip Zimmermann created Pretty Good Privacy in 1991 was because of the US government wanting to install backdoors in encryption software.
I can't believe you made such a long post about a moot point. If you social engineer someone to give you the passphrase, you don't even need to use this feature. The passphrase is the whole thing encrypting the disk. If you have the passphrase, you ALREADY GOT THE ACCESS. You don't need any fancy reboot tricks.
Because a backdoor can just as easily be slipped into open source software, if not more easily since everyone's assuming "Oh it's open, someone else is looking for backdoors." On top of that, when things go south there's no one to point the finger at and no one to go to for support.
Look at all the security flaws that have popped up in Firefox over the past two years that could have led to a complete security breach on a user's machine. Most were probably just innocent mistakes, but what if they were intentional? How would we know? And who could we blame?
Putting a GPL license on something doesn't automatically make it pure and holy.
Maxim: People cannot follow directions.
Increases in truth directly with the length of time spent explaining them
It's a bypass. You've got to build bypasses! Besides, you should've made your protest months ago. These plans have been on display at the planning office now for a year.
I did not say that somebody who DOESN'T have a passphrase could turn the feature on. RTFA and realize that any USER (get it? Not "admin") can use this feature, enabling the bypass. Sure, today, (again, you near-sighted idiot) the only way to use this is through the command line, but this is a crypto operation, not a connection to your mom's website, meaning there is no record of who makes crypto operations. It might be a trojan (which yes, I get it, it's got your passphrase), but imagine this: a worm like the storm worm gets modified to (in addition to the myriad of things it does) capture users' passphrases, add the bypass, and modify the PGP Boot Guard to not remove the bypass
And of course, (again I'll get enjoyment for calling you an idiot) an admin who uses this feature but has an adversary pick up the device PRIOR to the reboot happening and the oh so magical PGP Boot Guard removing the bypass
This guy gets it. Why can't you?
Now go say hi to Jesse and the twins for me.
libertarian: (n) socially liberal, financially conservative; neither left, nor right.
You forgot the part where you descend form the ceiling suspended by a wire harness and hang upside down while typing into the console.
With that degree of access, there are a million things you could do to gain access to sensitive data. (Eg, rummage throught the filing cabinet, paper is still king; install a physical keylogger dongle; etc, etc.) This would just be the icing on the cake; they're fucked already.
Okay, so let me explain why I'm telling you the software doesn't work like this. Here's the key thing to remember: the pre-boot lockout is not the thing protecting data on the disk.
Here's a scenario:
1) Install PGP and encrypt the drive.
2) Reboot
3) Turn on the bypass for the next reboot
4) Shutdown
5) Remove the drive and stick it (or copy of the drive) in another computer as a secondary drive
6) Try to access the drive
From your posts, it appears you think you'll see all the files. The simple fact is that you won't. It will appear as an unrecognized volume. That's because the files are still encrypted. The operating system will not be able to access the files. You're screwed.
The whole bootloader is just another step of lockout. First there's bootloader, then there's the windows login. Again, the bootloader is not the thing that "turns off" encryption on the drive after you get past it.
I was already assuming this was how it works because to do it otherwise would be quite foolish. I thought back to the parallels of how Windows works when you turn on encryption for certain files. The delay in most post was because I wanted to check this out with the real product to make sure my assumptions weren't bad. And guess what? I was right. I tried this out in the real world with the real product and the volume was still encrypted even though the bootloader password was bypassed.