Re: Hypothesis: PGP backdoor

[Ondrej Mikle]

Len Sassaman wrote:

On Thu, 24 Aug 2006, Ondrej Mikle wrote:
I also have no question, personally, that if there's a backdoor in PGP,
neither Mr. Callas nor any of the PGP engineers I had the pleasure to work
with know of it. Your theory is indeed wild, and though I don't mean to
discourage vigilance in questioning these sorts of potential subversions
of integrity in software as important as PGP, you might consider doing
more research into the background of people against whom you choose to
levy hypothetical accusations in public forums in the future.



OK, thanks for answering. I had only very limited view of the background 
behind PGP (i.e. stuff about NAI/PGP corp).


One last question: what about the PGPdisk SDA (self-decrypting archives, 
i.e. executables)? There has been a claim that SDA archives can be 
decrypted using a debugger. Is it true or false? See the section Two 
Ways to bypass PGP SDA Authentication and EXTRACT with success in the 
advisory http://www.safehack.com/Advisory/pgp/PGPcrack.html. Is the 
guy confused again? ;-)


Thanks
  OM

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Debunking the PGP backdoor myth for good. [was RE: Hypothesis: PGP backdoor (was: A security bug in PGP products?)]

[Dave Korn]

On 24 August 2006 03:06, Ondrej Mikle wrote:

 Hello.
 
 We discussed with V. Klima about the recent bug in PGPdisk that
 allowed extraction of key and data without the knowledge of passphrase.
 The result is a *very*wild*hypothesis*.
 
 Cf. http://www.safehack.com/Advisory/pgp/PGPcrack.html
 
 Question 1: why haven't anybody noticed in three months? Why has not
 there been a serious notice about it?

  Because it is completely incorrect.  Utterly wrong.  This was explained on
this list just a couple of days ago, look for the thread A security bug in
PGP products? in the list archives.

 According to the paper, both standard .pgd and self-extracting SDA
 (self-decrypting archives) are affected. Systematic backdoor maybe?

  No, the paper is wrong.  They aren't affected, you can't break the
encryption on them, and therefore there is no backdoor.
 
 Possibilities:
 1) it is a hoax. Though with very low probability. The text seems to
 include a lot of work and makes perfect sense (REPE CMPS, all the
 assembly), i.e. we suppose it is highly improbable that somebody would
 make such hoax.

  It is not a hoax.  It is the work of an incompetent.  Like many of those who
invent perpetual motion machines, he genuinely believes that what he has done
is correct, but it isn't.  Unfortunately, but also very much like many of
those who invent perpetual motion machines, when this is pointed out to him he
assumes that everyone else is either stupid or malicious, rather than accept
that his theory has a massive flaw which completely undermines it.

  This can be either proven or disproven simply by
 checking the Win program using hex editor/debugger (using an already
 downloaded copy). I haven't had the time to check it yet (no Win).

  Actually, it can't, because the instructions he has given are not sufficient
to follow.  At the critical point, he says you must replace the bytes where
the disk encryption key is stored.  Unfortunately, he cannot tell you what to
replace them with, unless you already happen to have a copy of the bytes
representing that *exact* *same* disk encryption key stored *under* *a*
*known* *passphrase*, and that is why the only example on his website that
works is the one where you change the passphrase on a disk but don't
re-encrypt it.  He even admits that in all other cases you will extract
crap.

  Examine the instructions at
http://www.safehack.com/Advisory/pgp/PGPcrack.html#Two_Ways_to_bypass_PGP_SDA_
Authentication

--quote--
Two Ways to bypass PGP SDA Authentication and EXTRACT with success


After spending a lot of time debugging and analyzing PGP SDA, we came up with
a conclusion that we can successfully extract the contents of PGP SDA in 2
ways.

1) Modifying the contents of the address 00890D70. (Screen Capture)

The modification should be done in:
0040598F |. E8 AC3D CALL filename_s.00409740

At: 00409740 /$ 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]

At this point change the contents of 00890D70.

After the bytes change, you will have to bypass authentication. After
bypassing authentication you will be able to extract.

2) Modifying the contents of the address 00BAF670. (Screen Capture)

The Modification should be done in:
0040595F FF15 90324100 CALL DWORD PTR DS:[413290]

At: 004019DA /$ FF7424 08 PUSH DWORD PTR SS:[ESP+8]

At this point change the contents of 00BAF670.
NOTE: At this point if you change the contents of 00BAF670, you won't have to
bypass authentication, it will work like a charm, and it will grant
auth/extract.  
--quote--

  Notice the crucial phrases At this point change the contents of 00890D70,
and At this point change the contents of 00BAF670.  He gives you absolutely
no information what it is that you need to change those bytes to.  Well, I can
tell you.  You have to change them to be the value of the disk encryption key
as encrypted by whatever passphrase you chose to enter.  You cannot do this
unless you already know the disk encryption key.

  In other words, if you already know the key to decrypt the disk, you can
decrypt the disk.  If you don't, however, you can't.

  Examine the writing a bit further down the page, where it says

--quote--
Accessing ANY PGP VIRTUAL Disk . (Need more testing and free time, Check
Debugging Notes at the end)

At this point you can add users change existing users passphrase Re-encrypt
disk and do other stuff. But when you try to access the disk you will get Disk
is not formatted. This is when you need to use your debugger.

--quote--

  Notice how he doesn't say what you need to *do* with the debugger, so let me
explain what he has skipped over:  Using only your debugger, you need to guess
the decryption key for the disk.  Think that's something you can do with a
debugger?