--- begin forwarded text Date: 9 Aug 1997 02:13:36 -0000 From: iang@systemics.com To: e$@thumper.vmeng.com Subject: Hipped on PGP Sender: <e$@vmeng.com> Precedence: Bulk List-Software: LetterRip 2.0 by Fog City Software, Inc. List-Unsubscribe: <mailto:requests@vmeng.com?subject=unsubscribe%20e$> List-Subscribe: <mailto:requests@vmeng.com?subject=subscribe%20e$> HIP finishes late in the day. It's 0100 - that's one in the morning for the temporally challenged - and the smart card workshop has just broken up. Actually it was the second pass. The first pass was 'sold out' at 150 people, this second started at 2300 this evening. Again, 150 people turned up and sat through presentations of hardware and data formats and attacks on the financially finest plastic in Europe. I have no snippets or revelations, I am not one of the dedicated. Mondex remains un-hacked, ChipKnip is secure. Frankly I'm not interested, I find the world of smart cards deadly boring. Perhaps it is the hardware, or maybe because attacks on smart cards have little chance of realising any gain or meltdown. I can on the other hand report that Saturn is safe tonight, as our in-HIP astrodome is busilly monitoring progress. What better way to wind down than to head up to north campground and check out the latest telescopic tracking software. Speaking of celestial control, the weather is perfect. That's by California standards, not European. Dave del Torto was lucky to be joining us for his talk on PGP user security. After buzzing the bells of the trainee bag scanner with 15kg of portables and random cables, he was incarcerated in an investigative cell for a couple of hours. Many hours after seeing his flight head east, a state department goon turns up. "When are you coming back?" asks the goon, knowing full well the day. Dave says "the 16th" blithely unaware that his passport expires on the day before. Goon leaves, returns, hands over passport. Only problem was, passport was cancelled... No explanation. No advice, no help. How Dave wings it over to HIP and saves the free world has to wait until, well, another's email. What disturbs is the gradual, unstoppable closing of borders in our erstwhile free western neigbour. Just like the American predomination, or should I say, embarrasment of topic on the never-ending crypto saga. If freedom is to contract a cancer, a malignant tumour, then Dave's talk on PGP user security is as a promise of the miracle cure, and not the State Department chemotheropy that cures the disease by killing the patient. Dave was followed by a presentation by Gary Howland on weaknesses in PGP. These theoretical problems leave one with niggling doubts as to the accepted reputation, our holy gail of privacy and security. There is no need for panic - many of the attacks are both highly specific, have been recognised for some time, and have been explicitly fixed in the latest release, PGP 5.0. But there is pause for thought. Howland and myself and many other have built financial cryptographic systems that relied on the mantra of PGP impregnability. The attacks he described work best in programmed systems like ours and those of our more respectable competitors. For example, imagine building a system that authorised counterparties on the strength of the PGP id or the fingerprint. Now we discover that Mallory can make a new key with the same fingerprint. Whilst not wishing to state that this is the end of the world, clearly we have to re-evaluate the entire architecture that was built up upon PGP. We believed in the PGP reputation as much as others, and these attacks are a timely reminder of the need for eternal hacker vigilance. These flaws are significant but addressable: PGP 5.0 has fixes for all but one of the flaws mentioned. And for the record, whilst Gary's attack to change conventionally encrypted files without detection was unknown to the PGP team at the moment, we can be sure that it will be addressed. Other exciting developments were the van Eyk demonstration by Prof. Euller. Not one, not two, but three methods to detect and display PC monitor signals on a slaved monitor, from distances into the several hundreds of metres. There is now little doubt that standard computers are the FBIs best friend. What need key escrow? Signing off and Hipped out. iang@somwhere.in.the.middle.of.nowhere --- end forwarded text ----------------- Robert Hettinga (rah@shipwright.com), Philodox e$, 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' The e$ Home Page: http://www.shipwright.com/
Ian Grigg <iang@systemics.com> writes:
[Gary Howland gives talk at HIP on technical PGP flaws, 0xDEADBEEF etc]
And for the record, whilst Gary's attack to change conventionally encrypted files without detection was unknown to the PGP team at the moment, we can be sure that it will be addressed.
Hmm. Change pgp -c files you say. Lets see... do you mean this: % echo hello world > junk % pgp -c +compress=off -zfred junk % sed 's/....$/adam/' < junk.pgp > junk2.pgp % pgp -zfred junk2.pgp % cat junk2 hello woøP?t That much is obvious. (pgp doesn't complain or even notice the above btw ... there is no checksum and so you can just garble the file, if you so wish, and pgp won't complain). Or did Gary find a way to undetectably modify ciphertext without turning off compression? Could you or he elaborate on your attack? Eternity server code is using pgp -c (but with compression on), and some remailer reply blocks (presumably with compression on), so it could be relevant if you've come up with an attack which works with compress=on. If you're using PGP with compress=on, then I suspect your chances of undetectably modifying the ciphertext and still coming up with something which is a valid compressed packet is fairly low. I wonder how low. Probably not low enough cryptographically, if you were using this in a automated environment, where people could hit a server with garbled packets repeatedly until one happened to decompress, and pass the compression codes internal checksum. Adam -- Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/ print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
Ian Grigg <iang@systemics.com> writes:
[Gary Howland gives talk at HIP on technical PGP flaws, 0xDEADBEEF etc]
And for the record, whilst Gary's attack to change conventionally encrypted files without detection was unknown to the PGP team at the moment, we can be sure that it will be addressed.
It's not just unconventionally encrypted files - any encrypted file that is unsigned can be modified without detection. I brought this to everyones attention because far too many people assume that encryption provides integrity.
Hmm. Change pgp -c files you say. Lets see... do you mean this:
% echo hello world > junk % pgp -c +compress=off -zfred junk % sed 's/....$/adam/' < junk.pgp > junk2.pgp % pgp -zfred junk2.pgp % cat junk2 hello woøP?t
That much is obvious.
(pgp doesn't complain or even notice the above btw ... there is no checksum and so you can just garble the file, if you so wish, and pgp won't complain).
Yes, this is part of the point I was making.
Or did Gary find a way to undetectably modify ciphertext without turning off compression?
Of course it is easier to modify uncompressed files, but even compressed files can be tampered with - it's just an awful lot harder.
Could you or he elaborate on your attack?
In addition to turning files to garbage, I was pointing out that files can be truncated. This could be very serious, if, say, you removed the second of a pair of financial transactions, or perhaps removed the last line of a security program, eg. if the last line of a script is "chmod -w filename" and you can remove this line, then you may be in trouble. As well as trashing files, and truncating them, it is also important to remember that the last 8 bytes can be modified without detection if the plaintext is known. This could be very serious. Think of the damage that could be done in 8 bytes ( "rm -rf /"). I agree that these attacks are very unlikely to occur, but I just wanted to bring it to everyone's attention.
If you're using PGP with compress=on, then I suspect your chances of undetectably modifying the ciphertext and still coming up with something which is a valid compressed packet is fairly low. I wonder how low.
If the plaintext is known, I could come up with a change to the last 8 bytes that would be valid (well, perhaps not - I don't know ZIP compression too well). Gary
participants (3)
-
Adam Back -
Gary Howland -
Robert Hettinga