Re: Proof of concept that PGP AUTHENTICATION CAN BE BYPASSED WITHOUT PATCHING

[Andreas Beck]

[EMAIL PROTECTED] wrote:
 This to answer Mr Jon Callas (PGP CTO) and to show him the last
 proof-of-concept. If he did not get it we consider we have done our
 part to report a BIG problem in PGP unless this is some kinda of
 HIDDEN features.
 
 We do not know why they just see one side of the coin.

I don't quite see the other side. They, and several others here have
explained what is happening.

At most I can see a user interface issue here, as I will detail below:

 What if you had  created a virtual disk  and give that to  someone.
 That someone use it as his/her own disk 

This is unsafe, unless the disk is reencrypted.


 and decided to change the password because they own the disk now 

The assumption that changing the password will disallow access from 
a former owner of _that_ very same disk is wrong.

You have to reencrypt the disk, if you want to take full ownership of
the data.


 So they did change the passowrd, but the originator can still access
 that disk if he/she replace the passphrase bytes in the binary file. 

That is not even necessary. You can just save the actual encryption key
and decrypt the disk with a modified software.


 So I consider this an attack on data INTEGRITY and data AVAILABILITY 

Containers of this kind cannot assure this anyway.

Integrity of the file might be checkable, but what is the point in
checking the integrity of data you want to protect from an adversary
that can decrypt the data anyway?

Are you suggesting that the software should check for a modified header?

How should the software do that? Said header is perfectly valid. It is
just for another time in the disks lifecycle.

So you could only check it together with the whole disk. That would mean
hashing a few GB of data ... everytime you unmount the disk. Or at least
everytime you want to check integrity - so at least at mount time ...

And: What would that give? An attacker can easily disable such checks.


Regarding availability:

 since the legitimate user will be denied access to the disk after 
 replacing the passphrase bytes.

How do you want to avoid that? If an attacker has write access to a
container file, he can just as well overwrite it with gibberish, thus 
really denying access.

A cryptocontainer is designed to thwart illegitimate access to data.
It is not designed to protect its content against manipulation.


 why you do not want to see that your password verification can be
 simply bypassed, 

It cannot. You can only restore a previous version of the disk key, 
which was encrypted by a known password.

You could just as well simply store the disk key.


 besides a reputable co. like PGP should at least put anti-debugging 
 tweaks, 

What for? Security by obscurity?

If you use it properly, it is absolutely irrelevant, if the encryption
software is being traced.

If you cannot recover the disk key, you can't read a single thing making
sense.

You are _not_ bypassing any authentication with your trick. You are
only using you previous knowledge about the disk key in an obscure way.

You can just as well jump ahead in the code to the point where the disk
key is there in decrypted form, replace it by the known value and run on.

No need to even enter a password actually.


 or even encrypt/hide the passphrase location

It is encrypted. Let's sketch the way such programs work again:

When a container is created, a random disk key (DK) is generated. This is 
what is used to actually encrypt the sectors on the disk.

When reading/writing, something along the lines of
D_S(DK,[sector ciphertext]) or E_S(DK,[sector plaintext] is used to 
en/decrypt the sector, where D_S and E_S are the sector de-/encryption
functions, which often take additional state parameters (like the sector
number) to avoid some watermarking attacks etc.


As humans are very bad at remembering 256 Bit binary (or hex or base64
or ...) values, this key needs to be stored somewhere.

Unless hardware crypto tokens are in use, where can you store it?

First idea: On disk.
But: This would be ridiculously insecure.

The solution is, to store it, but encrypted. So what disk encryption
programs usually do, is to store the actual disk key somewhere in the
volume header of the container - encrypted with the passphrase the user
has to give when mounting.

Of course one could as well derive the disk key directly from the
passphrase. However that has the disadvantage of not being able to
change the passphrase easily.


Let's reiterate the workings once more:

When doing operations on the disk like reading/writing sectors, the Disk
Key DK is used like this: D/E_S(DK,[sector cipher/plaintext]).

The key DK has been randomly generated at volume creation time.

When a user mounts a crypto volume, the Disk Key needs to be determined.

This is done by entering a password/phrase. This passphrase is then used
to decrypt an encrypted version of DK.

So what is in the volume header is E_DK(K_DK(passphrase),DK) where
E_DK is an encryption function 

Proof of concept that PGP AUTHENTICATION CAN BE BYPASSED WITHOUT PATCHING

[thesinoda]

This to answer Mr Jon Callas (PGP CTO) and to show him the last 
proof-of-concept. If he did not get it we consider we have done our part to 
report a BIG problem in PGP unless this is some kinda of HIDDEN features.


--Adonis, Abed Comments--

We do not agree with some of PGP comments. 


We do not know why they just see one side of the coin.


What if you had  created a virtual disk  and give that to  someone. That someone

use it as his/her own disk and  decided to change the password because they  own

the disk  now (You  give them  to them  with the  pass). So  they did change the

passowrd, but the originator  can still access that  disk if he/she replace  the

passphrase  bytes in  the binary  file. So  I consider  this an  attack on  data

INTEGRITY and  data AVAILABILITY since the legitimate user will be denied access

to the disk after replacing the passphrase bytes.


why you do not want to see that your password verification can be simply 

bypassed, besides a reputable co. like PGP should at least put anti-debugging 

tweaks, or even encrypt/hide the passphrase location


To pgp, your authentication can be bypassed, even if you have created two

different .sda file with two different content. the authentication can be

overwritten and the file can be extracted if you use a debugger if you do not

use a debugger you will be able to just bypass the authentication but without

extraction. why don't you see that mr. jon? instead of bitching and stuff? why

cannot you be professional and just explain fact after you do your home work

with a nice debugger.? is that to much asking, I think we are talking among

human and adults no?.


We think Mr. Jon (PGP) should play this flash video SLOW REAL SLOW.


http://www.safehack.com/Advisory/pgp/answerjon.html


PGP comments: http://www.securityfocus.com/archive/1/435155 


Quote from Mr Jon comments: For completeness, I'll note that we are discussing

whether we should add in a warning dialog to the passphrase change on a PGP

Disk, to tell the user that an attacker who has learned an old passphrase, has

an old disk and a hex editor can patch the disk so that it can be opened. On the

one hand, this might be a good thing to do. 


So if Mr Jon does not see the problem why they are talking about adding a

message box?. Why the passphrase location is not hidden? etc. I still see this

as INTEGRITY and AVAILABILITY attacks on PGP. I do not think it is normal

behavior of an encryption application to reveal it is passphrase location and I

do not see bypassing the passphrase dialog-box as Feature either.


 


Proof of concept that PGP AUTHENTICATION CAN BE BYPASSED WITHOUT PATCHING THE 

BINARY FILE EVEN.


This Flash video is dedicated to Mr. Jon Callas (PGP CTO, CSO).

http://www.safehack.com/Advisory/pgp/proof_of_concept_PGP_Authentication_BYPASS.html

http://www.safehack.com/Advisory/pgp/proof_of_concept_PGP_Authentication_BYPASS.html


We had reported that PGP Authentication can be bypassed by patching the binary 

file. After reading Mr. Jon Callas NON PROFESSIONAL answer, me and abed decided 

to show him that is not true. By using a SIMPLE Debugger PGP Authentication can 

be bypassed.


Here is Mr Jon Callas Comments http://www.securityfocus.com/archive/1/435155 

Summing up, we are disappointed that for whatever reasons, we were not 
contacted 

about this research before it was put on the web and posted on bugtraq. Had we 

been contacted, we could discuss this in private rather than have to air the 

details of this misunderstanding in a public forum. I am truly sorry for the 

sake of the Information Security Institute of Quebec and its staff that this 

complex issue has turned into a public brouhaha.


We load the file in the debugger and set the break points then we start by 

hitting F9 we will see the password dialog we enter ANY password here. When it 

stop at 00409797 Hit F9 6 times You see 


on 00405D70 |. E8 4FFB CALL a_sda.004058C4

we hit 6 times F9

A break point should be set on 00405D70 to see this.


After running the sda in olly we end up here. We hit F9 couples of time then we 
change ESI EDI

ON 00409797 |. F3:A7 REPE CMPS DWORD PTR ES:[EDI],DWORD PTR D; 


We see the stack values

ECX=0002 (decimal 2.)

DS:[ESI]=stack [00BBF68C]=DC3F5C82 -- IF WE ENTER A BAD PASSWORD THESE WONT BE 
THE SAME

ES:[EDI]=stack [00BBFF98]=DC3F5C82 EQUAL... WE JUST MAKE THEM EQUAL THEN 
CONTINUE THE QUEST. 


AT THIS POINT PGP Authentication is bypassed.


I hope that help Mr. Jon (PGP) seeing the problem. Again Mr Jon Bitching does 
not help you fixing your products.


-- End Comment--



Peace