Czech cryptologists discover bug in OpenPGP format
Pawel Krawczyk
kravietz at aba.krakow.pl
Tue Mar 20 11:53:56 PST 2001
http://www.i.cz/en/onas/tisk4.html
Press Release Prague, 20.3.2001
Cryptologists from Czech company ICZ detected serious security vulnerability
of an international magnitude
A bug has been found in worldwide used security format OpenPGP. The
bug can lead to discovery of user's private keys used in digital
signature systems. OpenPGP format is widely used in many applications
used worldwide, including extremely popular programs like PGPTM, GNU
Privacy Guard, and others. The bug detection comes on the right time,
as Philip Zimmermann, the creator of PGP program, has left Network
Associates, Inc. and aims to boost OpenPGP format in other products
for privacy security on Internet. From the scientific point of view,
the discovery goes far beyond actual programs - it has wider
theoretical and practical impact.
Two Czech cryptologists, Vlastimil Klima and Tomas Rosa, from a
company Decros (member of ICZ group) detected insufficient security
protection of private signature keys while working on a research for
the Czech National Security Authority. The private signature key is
the most sensitive and therefore the most protected information in all
digital signature systems. The attack is described in detail in a
research report to be released shortly on Internet (http://www.i.cz)
in both Czech and English.
The attack on OpenPGP format leading to discovery of DSA and RSA
private signature keys is described in the research report. OpenPGP
format is being proposed as an Internet standard for exact definition
of content and meaning of data records, in relation to encryption and
to digital signature.
This format is used not only in groups of programs called PGPTM, but
also in other applications, including GNU Privacy Guard. The list of
products based on OpenPGP is available on Internet at
[1]http://www.pgpi.org/products. OpenPGP format and all the
applications need to be reviewed the same way as the PGPTM program
itself.
The attack was successfully verified and demonstrated on PGPTM(*)
version 7.0.3 using AES and DH/DSS algorithms, which are deservedly
being considered as highly secure.
This serious bug is caused by incorrect implementation of the
above-mentioned strong cryptographic techniques. The private signature
key is the basic and the most sensitive information in the whole
system. The user is using it for digital signature. In all systems,
including OpenPGP, it is therefore protected by a strong cipher. AES,
one of the latest strong algorithms, has been used in the attacked
system. However, the protection appears to be illusory.
The authors proved that attackers do not need to attack the strong
cipher itself. They can simply bypass it as well as the secret user's
passphrase. A slight modification of the private key file followed by
capturing a signed message is enough to break the private key. These
tasks can be performed without knowledge of the user's passphrase.
After that, a special program can be run on any office PC. Based on
the captured message, the program is able to calculate the user's
private key in half a second. The attacker can then sign any messages
instead of the attacked user. Despite of very quick calculation, the
program is based on a special cryptographic know-how.
Insufficient security of public and private parts of signature keys in
OpenPGP format has been analyzed for DSA and RSA algorithms. The
step-by-step description of the attack on both private signature keys
is being demonstrated. The attacks apply to all RSA and DSA parameter
lengths (modules, keys).
The demonstrated attacks have a strong impact on security of the
programs mentioned above. To complete the attack, it is not always
necessary to visit the attacked user's workstation. The vulnerability
of the system is also in the files with exported private keys used by
the user for transferring the keys between workstations. The fact that
the private key is stored in an encrypted form can cause an illusory
feeling of security. If this file or diskette is captured by an
attacker during the transfer, the security of user's private key is in
serious danger.
We can often see that users store private key files on shared devices
on a network to maintain easy access. Knowing that the key is
protected by a strong cipher, the user considers such storage to be
safe enough. The authors proved that this feeling is illusory.
Typically, the server administrator can be the attacker.
Knowing the details of the demonstrated attack, the user of programs
based on OpenPGP is in a difficult situation when he/she realizes that
an invalid signature value has been generated. The user cannot be sure
whether this happened because of the attack, or 'just' because of a
technical failure. It is obvious that every file with an invalid
signature has to be handled carefully, the same way as a file with the
private key in open form! This includes careful secure wiping of the
file from the workstation or the server.
The completed analysis of the OpenPGP format has discovered serious
defects that make OpenPGP based applications vulnerable. The practical
example is PGPTM program which is not resistant to the attack on DSA
algorithm. However, the program is resistant to the attack on RSA
algorithm because of additional protections beyond OpenPGP format.
Though the attack relates to RSA and DSA algorithms in OpenPGP,
similar vulnerabilities can be expected in other asymmetrical
cryptographic systems, including systems based on elliptic curves.
OpenPGP format and PGPTM program are likely not the only examples of
systems that can be attacked because of insufficient protection of the
parameters mentioned above. In the end of their research report, the
authors propose cryptographic measures correcting OpenPGP format and
PGPTM program as well. They strongly appeal for very careful design of
cryptographic systems.
Contact:
ICZ a.s.
V Olšinách 75
100 97 Prague 10
[2]http://www.i.cz Miroslav Votruba
Marketing Director ICZ
Tel.: 02/81 00 21 43
e-mail: [3]m.votruba at i.cz
_________________________________________________________________
(*) Note: PGP is registered trade mark of Network Associates, Inc. All
other registered and not registered trade marks listed in this
document are owned by their appropriate owners.
References
1. http://www.pgpi.org/products
2. http://www.i.cz/
3. mailto:m.votruba at i.cz
--
Paweł Krawczyk *** home: <http://ceti.pl/~kravietz/>
security: <http://ipsec.pl/> *** fidonet: 2:486/23
More information about the cypherpunks-legacy
mailing list