PGP flaw found by Czech firm allows dig sig to be forged
http://www.wired.com/news/politics/0,1283,42553,00.html Your E-Hancock Can Be Forged by Declan McCullagh (declan@wired.com) 10:20 a.m. Mar. 21, 2001 PST WASHINGTON -- A Czech information security firm has found a flaw in Pretty Good Privacy that permits digital signatures to be forged in some situations. Phil Zimmermann, the PGP inventor who's now the director of the OpenPGP Consortium, said on Wednesday that he and a Network Associates (NETA) engineer verified that the vulnerability exists. ICZ, a Prague company with 450 employees, said that two of its cryptologists unearthed a bug in the OpenPGP format that allows an adversary who breaks into your computer to forge your e-mail signature. Both Zimmermann and the Czech engineers, Vlastimil Klima and Tomas Rosa, point out that the glitch does not affect messages encrypted with PGP. OpenPGP programs -- including GNU Privacy Guard and newer versions of PGP -- use different algorithms for signing and scrambling, and only the digital signature method is at risk. PGP and its offspring are by far the most popular e-mail encryption programs in the world. Nobody has disclosed a flaw in their message-scrambling mechanisms, but PGP owner Network Associates suffered an embarrassment last August when a German cryptanalyst published a way that allows an attacker to hoodwink PGP into not encoding secret information properly. In this case, someone wishing to impersonate you would need to gain access to your secret key -- usually stored on a hard drive or a floppy disk -- surreptitiously modify it, then obtain a message you signed using the altered secret key. Once those steps are complete, that person could then digitally sign messages using your name. "PGP or any program based on the OpenPGP format that does not have any extra integrity check will not recognize such modification and it will allow you to sign a message with the corrupted key," says Rosa, who works at Decros, an ICZ company. Rosa says he demonstrated the vulnerability with PGP 7.0.3. [...]
In article <20010321133551.B2386@cluebot.com>, Declan McCullagh <declan@well.com> wrote:
http://www.wired.com/news/politics/0,1283,42553,00.html
Your E-Hancock Can Be Forged by Declan McCullagh (declan@wired.com) 10:20 a.m. Mar. 21, 2001 PST
WASHINGTON -- A Czech information security firm has found a flaw in Pretty Good Privacy that permits digital signatures to be forged in some situations.
Phil Zimmermann, the PGP inventor who's now the director of the OpenPGP Consortium, said on Wednesday that he and a Network Associates (NETA) engineer verified that the vulnerability exists.
ICZ, a Prague company with 450 employees, said that two of its cryptologists unearthed a bug in the OpenPGP format that allows an adversary who breaks into your computer to forge your e-mail signature.
Of course, if someone can modify your private keyring, I'd suspect your TCB is toast. (Unless you're in the habit of shipping your private keyring around the Internet.) For the interested, this is my guess at the attack. Modify the encrypted value of p, somewhere near the middle. When decrypted, depending on the chaining mode, it's possible that only a couple of blocks of p will be mangled, and the remainder of the private key file will decrypt successfully. Here's where PGP fails to do a MAC to verify integrity of the data. Then, it behaves just like DFA (Differential Fault Analysis). The idea is that to calculate a signature M^d mod n, we calculate M^d mod p and M^d mod q, and use the CRT to combine them to S = M^d mod n. If p is wrong, the result S' will be correct mod q but incorrect mod p. so S' ^ e mod q = M mod q, but S' ^ e mod p != M mod p. Therefore GCD(S' ^ e mod n, M) = q, and we're done. - Ian
In article <99b89r$lgd$1@abraham.cs.berkeley.edu>, Ian Goldberg <iang@cs.berkeley.edu> wrote:
If p is wrong, the result S' will be correct mod q but incorrect mod p. so S' ^ e mod q = M mod q, but S' ^ e mod p != M mod p.
Therefore GCD(S' ^ e mod n, M) = q, and we're done.
I think you meant GCD((S'^e mod n)-M, n) = q. I don't think what you said is true, since q does not necessarily divide M. - Nikita
In article <20010321133551.B2386@cluebot.com>, Declan McCullagh <declan@well.com> wrote:
Pretty Good Privacy that permits digital signatures to be forged in some situations.
Phil Zimmermann, the PGP inventor who's now the director of the OpenPGP Consortium, said on Wednesday that he and a Network Associates (NETA) engineer verified that the vulnerability exists.
ICZ, a Prague company with 450 employees, said that two of its cryptologists unearthed a bug in the OpenPGP format that allows an adversary who breaks into your computer to forge your e-mail signature.
A "vulnerability" that requires the opponent to have write access to your private key in order to exploit? Okay. What was PGP's threat model again? I'd have sworn that this was squarely outside it. As far as I can tell, *NOBODY* offers security tools that offer real protection in the event your opponent has physical access to the machine. Bear
A "vulnerability" that requires the opponent to have write access to your private key in order to exploit?
Okay. What was PGP's threat model again? I'd have sworn that this was squarely outside it.
Probably. Do you need only write access? What does that do for smart cards - if anything? -David
"...As far as I can tell, *NOBODY* offers security tools that offer real protection in the event your opponent has physical access to the machine... Bear" I completely agree. Even if they didn't have access to the machine, losing the private key is a huge problem. I should point out a similar problem exists with microsoft's crypto api (capi). by replacing rsaenh.dll (and one other i could name later...details are on my research laptop and not on this machine) one could dummy down encryption or eliminate encryption control across all crypto api-compliant applications (like ms outlook, explorer, etc.) in fact this 'crack' is simiar to the 'upgrade' ms offers users to go from 56 to 128 bit encryption. interestingly, in order to gain export assurance for a crypto product, it's usually enough to state that your product's crypto relies on the MS crypto api. this is because the ms crypto api architecture has already received an "ok" for export (with caveats re: 128 bit encryption.) i've been through this process so I know the 'crack' and the export license information is correct (as of one year ago anyway). the most significant problem with pki, imho, is the fact one can't verify the publisher of the key. the public key could have been stolen/modified, or the issuer of the key may not have verified the true identity of the requestor. i could, right now, buy for $14.95, a digital cert from verisign claiming I'm napoleon bonaparte. and it would be published in their digital cert. directory as true. ya know, i'm going to do that right now. anyway, as many have already echoed here, gaining access to an adversary's machine provides more interesting possibilities than simply modifying a user's secret key. i would hope the cnsa would try to be more creative than that. phillip In article <20010321133551.B2386@cluebot.com>, Declan McCullagh <declan@well.com> wrote:
Pretty Good Privacy that permits digital signatures to be forged in some situations.
Phil Zimmermann, the PGP inventor who's now the director of the OpenPGP Consortium, said on Wednesday that he and a Network Associates (NETA) engineer verified that the vulnerability exists.
ICZ, a Prague company with 450 employees, said that two of its cryptologists unearthed a bug in the OpenPGP format that allows an adversary who breaks into your computer to forge your e-mail signature.
A "vulnerability" that requires the opponent to have write access to your private key in order to exploit? Okay. What was PGP's threat model again? I'd have sworn that this was squarely outside it. As far as I can tell, *NOBODY* offers security tools that offer real protection in the event your opponent has physical access to the machine. Bear
At 08:36 AM 3/22/01 -0800, Ray Dillinger wrote:
In article <20010321133551.B2386@cluebot.com>, Declan McCullagh <declan@well.com> wrote:
Pretty Good Privacy that permits digital signatures to be forged in some situations.
Phil Zimmermann, the PGP inventor who's now the director of the OpenPGP Consortium, said on Wednesday that he and a Network Associates (NETA) engineer verified that the vulnerability exists.
ICZ, a Prague company with 450 employees, said that two of its cryptologists unearthed a bug in the OpenPGP format that allows an adversary who breaks into your computer to forge your e-mail signature.
A "vulnerability" that requires the opponent to have write access to your private key in order to exploit?
Okay. What was PGP's threat model again? I'd have sworn that this was squarely outside it.
As far as I can tell, *NOBODY* offers security tools that offer real protection in the event your opponent has physical access to the machine.
Maybe acme.com??? Always did right by Wile E. Coyote,,, ;) Reese
What the flaw says is that if I get write access to your private key I can cause you to reveal it. Like interesting but not exactly gripping stuff. If I can write to your private key you are probably !@@$(&**ed. The report is incorrect in stating that PGP is the most popular email security package, there are 100 million copies of S/MIME enabled email applications in use. Phill
-----Original Message----- From: owner-fight-censorship@vorlon.mit.edu [mailto:owner-fight-censorship@vorlon.mit.edu]On Behalf Of Declan McCullagh Sent: Wednesday, March 21, 2001 1:36 PM To: cypherpunks@cyberpass.net; cryptography@c2.net Cc: fight-censorship@vorlon.mit.edu Subject: PGP flaw found by Czech firm allows dig sig to be forged
http://www.wired.com/news/politics/0,1283,42553,00.html
Your E-Hancock Can Be Forged by Declan McCullagh (declan@wired.com) 10:20 a.m. Mar. 21, 2001 PST
WASHINGTON -- A Czech information security firm has found a flaw in Pretty Good Privacy that permits digital signatures to be forged in some situations.
Phil Zimmermann, the PGP inventor who's now the director of the OpenPGP Consortium, said on Wednesday that he and a Network Associates (NETA) engineer verified that the vulnerability exists.
ICZ, a Prague company with 450 employees, said that two of its cryptologists unearthed a bug in the OpenPGP format that allows an adversary who breaks into your computer to forge your e-mail signature.
Both Zimmermann and the Czech engineers, Vlastimil Klima and Tomas Rosa, point out that the glitch does not affect messages encrypted with PGP. OpenPGP programs -- including GNU Privacy Guard and newer versions of PGP -- use different algorithms for signing and scrambling, and only the digital signature method is at risk.
PGP and its offspring are by far the most popular e-mail encryption programs in the world. Nobody has disclosed a flaw in their message-scrambling mechanisms, but PGP owner Network Associates suffered an embarrassment last August when a German cryptanalyst published a way that allows an attacker to hoodwink PGP into not encoding secret information properly.
In this case, someone wishing to impersonate you would need to gain access to your secret key -- usually stored on a hard drive or a floppy disk -- surreptitiously modify it, then obtain a message you signed using the altered secret key. Once those steps are complete, that person could then digitally sign messages using your name.
"PGP or any program based on the OpenPGP format that does not have any extra integrity check will not recognize such modification and it will allow you to sign a message with the corrupted key," says Rosa, who works at Decros, an ICZ company. Rosa says he demonstrated the vulnerability with PGP 7.0.3.
[...]
participants (8)
-
Declan McCullagh -
dmolnar -
iang@cs.berkeley.edu -
nikitab@cs.berkeley.edu -
Phillip H. Zakas -
Phillip Hallam-Baker -
Ray Dillinger -
Reese