Virus attacks on PGP
PGP can be vulnerable to virus attacks. (Similar attacks can be made on other cipher systems.) These virus attacks can either be "Get the Key", or "Subvert the System" attacks. Schneier's "Rubber Hose" attack and a class of attack which I will call "Black Bag" attacks are get the key attacks. With a black bag attack, victims do not know their keys have been stolen, and so continue to use them. (According to "The Puzzle Palace", NSA got the FBI to perform black bag attacks on embassies in Washington DC.) I don't think subvert the system attacks have any parallel in classical cryptography. Get the Key Attacks PGP has three keys: the secret key ring pass phrase, the secret RSA key, and the IDEA key. Getting any of them would constitute a successful attack. A virus that collects secret key rings and sends their contents somewhere, either via UDP like messages or by dialing the modem late at night doesn't seem to much harder to build than one that erases your hard disk. If it runs only once per machine, its chances of getting caught are fairly low. The standard IP error handling of "throw away the packet" means that it probably won't be caught by firewalls. It seems more likely that someone will catch their computer making an unauthorized 800 number call. This attack would allow an opponent to use a brute force attack on the pass phrase. Getting the pass phrase or the IDEA key requires that the virus infect something in the PGP environment. The infection could be to PGP itself, or to the operating system in which it runs. (N.B. Since Mac and PC systems have only one protection domain, all programs running in them are part of the operating system for the sake of this analysis.) Assuming PGP is infected, although similar arguments apply to the operating system, the possible mechanisms of infection are many: A infected PGP binary is installed A virus modifies disk copies of PGP The OS's loader is infected to modify PGP as it is loaded The compiler or linker is infected to modify PGP. Any of these forms of infection could send pass phrases, secret keys, or IDEA keys out via IP or modem. Subvert the System Attacks The mechanisms of infection are similar to those of the get the key attacks, but these attacks do not require that the virus send data outside the machine. Instead, these attacks act by reducing the size of one of the three key spaces, making it vulnerable to brute force attacks. For example, if the OS provides a "random number" service, then limiting the randomness of the numbers constitutes an attack. Making RSA key generation loosely connected to the date and time constitutes an attack. Defenses One standard defense in classical cryptography is to frequently change the cipher keys. The PGP web-of-trust makes changing keys difficult, and is perhaps the weakest part of the overall protocol. Standard defenses against viruses can help, but if the attacker is determined and competent, then the virus will not be detected by virus detection programs, and will not have bugs which cause noticeable ill effects on infected machines. Custom changes to things like random number utilities and the PGP code itself may increase resistance by preventing some of these attacks from identifying the modified code as its intended target. Auditing code, preferably object code, can detect infection. Having ALL the source code available is almost a requirement here. Maintaining a file of cryptographic hashs of the IDEA keys used and checking for duplicates can detect subvert the system attacks on IDEA key generation at the risk that the cryptographic hash is in fact invertible and can be used to reveal the IDEA key. Using operating systems which run in many small protection domains can limit the opportunity for infection. One such system I have been involved with for over 20 years is described at the following WEB sites: http://www.cis.upenn.edu/~KeyKOS/ http://www.webcom.com/agorics/allkey.html Bill ----------------------------------------------------------------- Bill Frantz Periwinkle -- Computer Consulting (408)356-8506 16345 Englewood Ave. frantz@netcom.com Los Gatos, CA 95032, USA
Thanks for the post. I think there are a few interesting points, and some of the things I do to try to make things more difficult for a potential virus. First, my secring is on a PCMCIA memory card, as is the versions of PGP, in this case DOS and Linux. A virus is unlikely to attack both, and when the memory card is in, the network and modem cards are out. Second, I think PGP is statically linked by default. If it isn't this shoudl be changed - there was recently a CERT alert about telnet services being compromised by switching DLLs. The code can also be cross compiled and burned onto a CDROM which would make it difficult to infect. zerucha@shell.portal.com -or- 2015509 on MCI Mail finger zerucha@jobe.portal.com for PGP key
Where can one get PGP burnt into cdrom? Or the equiptment to do it Thanks in advance moroni
Where can one get PGP burnt into cdrom? Or the equiptment to do it
If you can wait a while, TERENA (UKERNA, SURFnet, etc) are producing a PGP CD at the start of next year ...
Would PGP on CD-ROM truely gaurantee a corrupt/virus free executable? A virus already running in memory could tamper with what it's doing, perhaps extracting the necessary keys and dumping them to a log file. This would be especially dangerous on a UNIX system where many people might be using PGP, thinking it is secure. I think the only way to be safe is to actually boot up off of the CD-ROM, and hope that the hardware in your computer physically hasn't been tampered with :)
On Fri, 24 Nov 1995, Laszlo Vecsey wrote:
Where can one get PGP burnt into cdrom? Or the equiptment to do it
If you can wait a while, TERENA (UKERNA, SURFnet, etc) are producing a PGP CD at the start of next year ...
Would PGP on CD-ROM truely gaurantee a corrupt/virus free executable? A virus already running in memory could tamper with what it's doing, perhaps extracting the necessary keys and dumping them to a log file. This would be especially dangerous on a UNIX system where many people might be using PGP, thinking it is secure.
I think the only way to be safe is to actually boot up off of the CD-ROM, and hope that the hardware in your computer physically hasn't been tampered with :)
My original post mentioned two things, the other was to cross-compile the sources. Maybe do it on 3 different systems (e.g. Sun, HP and DEC), and compare the binaries, then burn a CD. A virus would have to be very versatile to infect multiple platforms and insert code for another. It would also be silly for a virus to just dump keys when PGP runs, it would be far easier to look for any occurance of secring.pgp, and mail it, and/or monitor when it was opened and record keystrokes. And log files must go somewhere. I don't know if I mentioned, but I keep PGP and my keys on pcmcia memory cards that aren't in the system at the same time as a network or modem card. Moreover I can also simply use the DOS version (I use linux to communicate) - It would require quite an effort to create a virus that would work and pass data across the required OS problems and not break with the twice a week kernel-level changes :). ViaCrypt also has a PCMCIA implementation of pgp, and it should be fairly easy to implement in an ASIC, or small embedded micro. That would be much harder to compromise. Of course anything so useful commercially woudl be the subject of our legal system. It takes quite an effort to create a complex virus to do this. It reminds me of the Glomar Challenger that was used to recover the remains of a russian sub (my memory is somewhat faulty). Such a virus would require a great investment in time and money. What target would be worth it? Many otherwise feasible things aren't economically pracitcal. zerucha@shell.portal.com -or- 2015509 on MCI Mail finger zerucha@jobe.portal.com for PGP key
-----BEGIN PGP SIGNED MESSAGE----- On Fri, 24 Nov 1995, Moroni wrote:
Where can one get PGP burnt into cdrom? Or the equiptment to do it Thanks in advance moroni
I remember seeing in computer catalog a device that can burn data into a cdrom and it even supplies blank cd's. Unfortunately, I cannot remember the name of the catalog. It might have been _Tiger Software_ or some similar catalog. I do know that the technology is available. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by mkpgp, a Pine/PGP interface. iQCVAwUBMLaOlrZc+sv5siulAQGpUgQAnj4I6lhgOX6Q6U9PctJn4pFcW7ncRguT Npv8w7GR5TzBY7fejmiwVGqjSkw86trCvJwwR42azd2XAYU9t8zlSNO/r+dbqGQY 1mmA5RGUAuP5FVvVKoJqq0eYBhixe0E+G9/hBftqNlNAsIEuQ+sRd1MkoR1zu4R+ 27+lBhQ72as= =j0/5 -----END PGP SIGNATURE----- `finger -l markm@omni.voicenet.com` for public key and Geek Code Public Key/1024: 0xF9B22BA5 BD 24 D0 8E 3C BB 53 47 20 54 FA 56 00 22 58 D5 Homepage URL:http://www.voicenet.com/~markm/
On Fri, 24 Nov 1995, Mark M. wrote:
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 24 Nov 1995, Moroni wrote:
Where can one get PGP burnt into cdrom? Or the equiptment to do it Thanks in advance moroni
I remember seeing in computer catalog a device that can burn data into a cdrom and it even supplies blank cd's. Unfortunately, I cannot remember the name of the catalog. It might have been _Tiger Software_ or some similar catalog. I do know that the technology is available.
There was a recent review in network computing of about 60 or so different CDROM recording devices. The cheapest one was about $500 from Liberty. The most expensive was I think the one from Kodak, for about $20k. The capabilities of each are different. Some include buffering, some don't. However, the pre-mastering software used to make file systems on a CDROM (HSFS, UFS, DOS, ISO-???? (forget that four digit number) is sold separately, but generally not too expensive. There are also single and multi-session CD 'burners'. The single session mean you have to do the entire disk in one session, and generally if you mess up, you need a new disk. The multi- session devices let you start a session, and pick it up with more information at a later time. Most of them are designed for multi-media or audio recording, but you can generally get pre-mastering software that will work with something like CD-XA.. etc.. Check your software for compatibility before purchasing the hardware. ____________________________________________________________________________ Doug Hughes Engineering Network Services System/Net Admin Auburn University doug@eng.auburn.edu Pro is to Con as progress is to congress
participants (7)
-
Doug Hughes -
frantz@netcom.com -
Laszlo Vecsey -
Mark M. -
Moroni -
Piete Brooks -
Thomas E Zerucha