COMMAND
PGP
SYSTEMS AFFECTED
PGP Desktop Security 7.0
PROBLEM
Patrik Birgersson (Wkit Security AB) found following. PGP Desktop
Security 7.0 is a collection of encrypting software's. It can
be used for encryption of e-mails, files and network
communications, based on PKI. It also offers a personal firewall
and intrusion detection (IDS). PGP contain the possibility to
use split keys for encryption/decryption and digital signing.
When creating a split key, you are asked to set up how many
different shares that will be required to rejoin the key. The
shares are saved as files either encrypted to the public key of a
shareholder or encrypted conventionally if the shareholder has no
public key.
After the key has been split, attempting to sign with it or
decrypt with it will automatically attempt to rejoin the key.
There are two ways to rejoin a key, locally and remotely.
Rejoining key shares locally requires the shareholders presence
at the rejoining computer. Each shareholder is required to enter
the passphrase for his or her key share. Rejoining key shares
remotely requires the remote shareholders to authenticate and
decrypt their keys before sending them over the network. PGP's
Transport Layer Security (TLS) provides a secure link to transmit
key shares, which allows multiple individuals in distant locations
to securely sign or decrypt with their key share.
Wkit Security AB has found that if any caching option in PGP
Desktop Security 7.0 is activated there is a vulnerability that
allows a malicious user to encrypt/decrypt or sign any file or
e-mail with a split key that has been previously authenticated by
an appropriate number of split-key shareholders.
User A, B, C and D has one share each of a split key (let's say a
corporate management key). The split key requires two shares to
authenticate in order to be operational.
User A asks user B to provide his/her share for encryption of the
latest economic forecast (let's say a PDF document). User B knows
that this is a document that needs to be encrypted and should not
be accessible by one single user, so he/she connects to user A's
PGP network session and supplies his/her share for the split key,
thus enabling encryption of the economic forecast (user A's share
is of course also supplied).
Now, user A has the options "Cache passphrase while logged on"
activated in his/her PGP software. This will let user A to do
"whatever" with the split key.
Since user A in this example is malicious, he/she writes a press
announcement and signs it with the split key (corporate management
key, remember?). Imagine the impact a press announcement with
negative (or any other unwanted) information signed with a
"trustable" key would have.
The concept of spilt keys/key shares that is used by PGP Desktop
Security 7.0 is not secure in itself, regardless of caching
options or any similar mechanism in thesoftware. A malicious user
could replace the PGP software with a modified version, thus
"grabbing" the key shares from other key shares holders.
There are systems that solve this problem. They allow each party
to receive a copy of the data that they wish to sign or encrypt,
and they can perform a partial operation on it using their share
on a trusted system.
They can then forward the partial result to the next user and so
on until all users required have processed the data. The last
user will generate the final encrypted or signed data.
Since none of the users revealed their share, nobody else and none
of them obtains a copy of the reconstructed secret you can reuse
it as long as you want.
The information within this advisory does not imply in any way
that the cryptographic algorithms used by the PGP software
contains a vulnerability. This advisory points out a risk in the
method that is used for split keys, not necessarily limited to
the PGP Desktop Security 7.0 software package. Other encryption
software packages may use the same method for split keys, thus
making them vulnerable to malicious users.
However, Wkit Security AB feels that the caching feature of PGP
Desktop Security 7.0 makes the process of retrieving/storing
shares from a split key so easy that no expert knowledge is
needed to exploit this vulnerability.
SOLUTION
Wkit Security AB has no knowledge of any solution or workaround
for this problem. Even if the vendor were to disable caching for
split keys, it would still be possible for a malicious user to
write his/her own software to "grab" the key shares.
If one wishes to utilize split keys, the use of a system that do
not require exposure of key shares is preferred.