|
Vulnerability PGP Affected PGP Desktop Security 7.0 Description Patrik Birgersson (Wkit Security AB) found following. PGP Desktop Security 7.0 is a collection of encrypting software's. It can be used for encryption of e-mails, files and network communications, based on PKI. It also offers a personal firewall and intrusion detection (IDS). PGP contain the possibility to use split keys for encryption/decryption and digital signing. When creating a split key, you are asked to set up how many different shares that will be required to rejoin the key. The shares are saved as files either encrypted to the public key of a shareholder or encrypted conventionally if the shareholder has no public key. After the key has been split, attempting to sign with it or decrypt with it will automatically attempt to rejoin the key. There are two ways to rejoin a key, locally and remotely. Rejoining key shares locally requires the shareholders presence at the rejoining computer. Each shareholder is required to enter the passphrase for his or her key share. Rejoining key shares remotely requires the remote shareholders to authenticate and decrypt their keys before sending them over the network. PGP's Transport Layer Security (TLS) provides a secure link to transmit key shares, which allows multiple individuals in distant locations to securely sign or decrypt with their key share. Wkit Security AB has found that if any caching option in PGP Desktop Security 7.0 is activated there is a vulnerability that allows a malicious user to encrypt/decrypt or sign any file or e-mail with a split key that has been previously authenticated by an appropriate number of split-key shareholders. User A, B, C and D has one share each of a split key (let's say a corporate management key). The split key requires two shares to authenticate in order to be operational. User A asks user B to provide his/her share for encryption of the latest economic forecast (let's say a PDF document). User B knows that this is a document that needs to be encrypted and should not be accessible by one single user, so he/she connects to user A's PGP network session and supplies his/her share for the split key, thus enabling encryption of the economic forecast (user A's share is of course also supplied). Now, user A has the options "Cache passphrase while logged on" activated in his/her PGP software. This will let user A to do "whatever" with the split key. Since user A in this example is malicious, he/she writes a press announcement and signs it with the split key (corporate management key, remember?). Imagine the impact a press announcement with negative (or any other unwanted) information signed with a "trustable" key would have. The concept of spilt keys/key shares that is used by PGP Desktop Security 7.0 is not secure in itself, regardless of caching options or any similar mechanism in thesoftware. A malicious user could replace the PGP software with a modified version, thus "grabbing" the key shares from other key shares holders. There are systems that solve this problem. They allow each party to receive a copy of the data that they wish to sign or encrypt, and they can perform a partial operation on it using their share on a trusted system. They can then forward the partial result to the next user and so on until all users required have processed the data. The last user will generate the final encrypted or signed data. Since none of the users revealed their share, nobody else and none of them obtains a copy of the reconstructed secret you can reuse it as long as you want. The information within this advisory does not imply in any way that the cryptographic algorithms used by the PGP software contains a vulnerability. This advisory points out a risk in the method that is used for split keys, not necessarily limited to the PGP Desktop Security 7.0 software package. Other encryption software packages may use the same method for split keys, thus making them vulnerable to malicious users. However, Wkit Security AB feels that the caching feature of PGP Desktop Security 7.0 makes the process of retrieving/storing shares from a split key so easy that no expert knowledge is needed to exploit this vulnerability. Solution Wkit Security AB has no knowledge of any solution or workaround for this problem. Even if the vendor were to disable caching for split keys, it would still be possible for a malicious user to write his/her own software to "grab" the key shares. If one wishes to utilize split keys, the use of a system that do not require exposure of key shares is preferred.