COMMAND

    PGP

SYSTEMS AFFECTED

    PGP Desktop Security 7.0

PROBLEM

    Patrik Birgersson (Wkit Security AB) found following.  PGP Desktop
    Security 7.0  is a  collection of  encrypting software's.   It can
    be   used   for   encryption   of   e-mails,   files  and  network
    communications, based on PKI.  It also offers a personal  firewall
    and intrusion  detection (IDS).   PGP contain  the possibility  to
    use  split  keys  for  encryption/decryption  and digital signing.
    When  creating  a  split  key,  you  are  asked to set up how many
    different shares  that will  be required  to rejoin  the key.  The
    shares are saved as files either encrypted to the public key of  a
    shareholder or encrypted conventionally if the shareholder has  no
    public key.

    After  the  key  has  been  split,  attempting  to sign with it or
    decrypt  with  it  will  automatically  attempt to rejoin the key.
    There  are  two  ways  to  rejoin  a  key,  locally  and remotely.
    Rejoining key  shares locally  requires the  shareholders presence
    at the rejoining computer.  Each shareholder is required to  enter
    the passphrase  for his  or her  key share.   Rejoining key shares
    remotely  requires  the  remote  shareholders  to authenticate and
    decrypt their keys  before sending them  over the network.   PGP's
    Transport Layer Security (TLS) provides a secure link to  transmit
    key shares, which allows multiple individuals in distant locations
    to securely sign or decrypt with their key share.

    Wkit  Security  AB  has  found  that  if any caching option in PGP
    Desktop Security 7.0  is activated there  is a vulnerability  that
    allows a  malicious user  to encrypt/decrypt  or sign  any file or
    e-mail with a split key that has been previously authenticated  by
    an appropriate number of split-key shareholders.

    User A, B, C and D has one share each of a split key (let's say  a
    corporate management key).  The  split key requires two shares  to
    authenticate in order to be operational.

    User A asks user B to provide his/her share for encryption of  the
    latest economic forecast (let's say a PDF document).  User B knows
    that this is a document that needs to be encrypted and should  not
    be accessible by one single  user, so he/she connects to  user A's
    PGP network session and supplies his/her share for the split  key,
    thus enabling encryption of the economic forecast (user A's  share
    is of course also supplied).

    Now, user  A has  the options  "Cache passphrase  while logged on"
    activated in his/her  PGP software.   This will let  user A to  do
    "whatever" with the split key.

    Since user A in this  example is malicious, he/she writes  a press
    announcement and signs it with the split key (corporate management
    key, remember?).   Imagine the  impact a  press announcement  with
    negative  (or  any  other  unwanted)  information  signed  with  a
    "trustable" key would have.

    The concept of spilt keys/key  shares that is used by  PGP Desktop
    Security  7.0  is  not  secure  in  itself,  regardless of caching
    options or any similar mechanism in thesoftware.  A malicious user
    could  replace  the  PGP  software  with  a modified version, thus
    "grabbing" the key shares from other key shares holders.

    There are systems that solve this problem.  They allow each  party
    to receive a copy of the  data that they wish to sign  or encrypt,
    and they can perform a  partial operation on it using  their share
    on a trusted system.

    They can then forward the partial  result to the next user and  so
    on until  all users  required have  processed the  data.  The last
    user will generate the final encrypted or signed data.

    Since none of the users revealed their share, nobody else and none
    of them obtains a copy  of the reconstructed secret you  can reuse
    it as long as you want.

    The information  within this  advisory does  not imply  in any way
    that  the  cryptographic  algorithms  used  by  the  PGP  software
    contains a vulnerability.  This advisory points out a risk in  the
    method that  is used  for split  keys, not  necessarily limited to
    the PGP Desktop Security  7.0 software package.   Other encryption
    software packages  may use  the same  method for  split keys, thus
    making them vulnerable to malicious users.

    However, Wkit Security  AB feels that  the caching feature  of PGP
    Desktop  Security  7.0  makes  the  process  of retrieving/storing
    shares  from  a  split  key  so  easy  that no expert knowledge is
    needed to exploit this vulnerability.

SOLUTION

    Wkit Security AB  has no knowledge  of any solution  or workaround
    for this problem. Even if  the vendor were to disable  caching for
    split keys,  it would  still be  possible for  a malicious user to
    write his/her own software to "grab" the key shares.

    If one wishes to utilize split  keys, the use of a system  that do
    not require exposure of key shares is preferred.