Czech cryptologists discover bug in OpenPGP format

Pawel Krawczyk kravietz at aba.krakow.pl
Tue Mar 20 11:53:56 PST 2001 

http://www.i.cz/en/onas/tisk4.html


                      Press Release Prague, 20.3.2001
   
Cryptologists from Czech company ICZ detected serious security vulnerability
                       of an international magnitude
                                      
   A bug has been found in worldwide used security format OpenPGP. The
   bug can lead to discovery of user's private keys used in digital
   signature systems. OpenPGP format is widely used in many applications
   used worldwide, including extremely popular programs like PGPTM, GNU
   Privacy Guard, and others. The bug detection comes on the right time,
   as Philip Zimmermann, the creator of PGP program, has left Network
   Associates, Inc. and aims to boost OpenPGP format in other products
   for privacy security on Internet. From the scientific point of view,
   the discovery goes far beyond actual programs - it has wider
   theoretical and practical impact.
   Two Czech cryptologists, Vlastimil Klima and Tomas Rosa, from a
   company Decros (member of ICZ group) detected insufficient security
   protection of private signature keys while working on a research for
   the Czech National Security Authority. The private signature key is
   the most sensitive and therefore the most protected information in all
   digital signature systems. The attack is described in detail in a
   research report to be released shortly on Internet (http://www.i.cz)
   in both Czech and English.
   The attack on OpenPGP format leading to discovery of DSA and RSA
   private signature keys is described in the research report. OpenPGP
   format is being proposed as an Internet standard for exact definition
   of content and meaning of data records, in relation to encryption and
   to digital signature.
   This format is used not only in groups of programs called PGPTM, but
   also in other applications, including GNU Privacy Guard. The list of
   products based on OpenPGP is available on Internet at
   [1]http://www.pgpi.org/products. OpenPGP format and all the
   applications need to be reviewed the same way as the PGPTM program
   itself.
   The attack was successfully verified and demonstrated on PGPTM(*)
   version 7.0.3 using AES and DH/DSS algorithms, which are deservedly
   being considered as highly secure.
   This serious bug is caused by incorrect implementation of the
   above-mentioned strong cryptographic techniques. The private signature
   key is the basic and the most sensitive information in the whole
   system. The user is using it for digital signature. In all systems,
   including OpenPGP, it is therefore protected by a strong cipher. AES,
   one of the latest strong algorithms, has been used in the attacked
   system. However, the protection appears to be illusory.
   The authors proved that attackers do not need to attack the strong
   cipher itself. They can simply bypass it as well as the secret user's
   passphrase. A slight modification of the private key file followed by
   capturing a signed message is enough to break the private key. These
   tasks can be performed without knowledge of the user's passphrase.
   After that, a special program can be run on any office PC. Based on
   the captured message, the program is able to calculate the user's
   private key in half a second. The attacker can then sign any messages
   instead of the attacked user. Despite of very quick calculation, the
   program is based on a special cryptographic know-how.
   Insufficient security of public and private parts of signature keys in
   OpenPGP format has been analyzed for DSA and RSA algorithms. The
   step-by-step description of the attack on both private signature keys
   is being demonstrated. The attacks apply to all RSA and DSA parameter
   lengths (modules, keys).
   The demonstrated attacks have a strong impact on security of the
   programs mentioned above. To complete the attack, it is not always
   necessary to visit the attacked user's workstation. The vulnerability
   of the system is also in the files with exported private keys used by
   the user for transferring the keys between workstations. The fact that
   the private key is stored in an encrypted form can cause an illusory
   feeling of security. If this file or diskette is captured by an
   attacker during the transfer, the security of user's private key is in
   serious danger.
   We can often see that users store private key files on shared devices
   on a network to maintain easy access. Knowing that the key is
   protected by a strong cipher, the user considers such storage to be
   safe enough. The authors proved that this feeling is illusory.
   Typically, the server administrator can be the attacker.
   Knowing the details of the demonstrated attack, the user of programs
   based on OpenPGP is in a difficult situation when he/she realizes that
   an invalid signature value has been generated. The user cannot be sure
   whether this happened because of the attack, or 'just' because of a
   technical failure. It is obvious that every file with an invalid
   signature has to be handled carefully, the same way as a file with the
   private key in open form! This includes careful secure wiping of the
   file from the workstation or the server.
   The completed analysis of the OpenPGP format has discovered serious
   defects that make OpenPGP based applications vulnerable. The practical
   example is PGPTM program which is not resistant to the attack on DSA
   algorithm. However, the program is resistant to the attack on RSA
   algorithm because of additional protections beyond OpenPGP format.
   Though the attack relates to RSA and DSA algorithms in OpenPGP,
   similar vulnerabilities can be expected in other asymmetrical
   cryptographic systems, including systems based on elliptic curves.
   OpenPGP format and PGPTM program are likely not the only examples of
   systems that can be attacked because of insufficient protection of the
   parameters mentioned above. In the end of their research report, the
   authors propose cryptographic measures correcting OpenPGP format and
   PGPTM program as well. They strongly appeal for very careful design of
   cryptographic systems.
   
   Contact:
   ICZ a.s.
   V Olšinách 75
   100 97 Prague 10
   [2]http://www.i.cz Miroslav Votruba
   Marketing Director ICZ
   Tel.: 02/81 00 21 43
   e-mail: [3]m.votruba at i.cz
     _________________________________________________________________
                                      
   (*) Note: PGP is registered trade mark of Network Associates, Inc. All
       other registered and not registered trade marks listed in this
              document are owned by their appropriate owners.

References

   1. http://www.pgpi.org/products
   2. http://www.i.cz/
   3. mailto:m.votruba at i.cz

-- 
Paweł Krawczyk *** home: <http://ceti.pl/~kravietz/>
security: <http://ipsec.pl/>  *** fidonet: 2:486/23

More information about the cypherpunks-legacy mailing list