A security bug in PGP products?

Dave Korn dave.korn at artimi.com
Wed Aug 23 13:40:14 EDT 2006

"Ondrej Mikle" <ondrej.mikle at gmail.com> wrote in message
news:<44EAF045.3080202 at gmail.com>...
> Max A. wrote:
> > Hello!
> > 
> > Could anybody familiar with PGP products look at the following page
> > and explain in brief what it is about and what are consequences of the
> > described bug?
> > 
> > http://www.safehack.com/Advisory/pgp/PGPcrack.html
> > 
> It seemed a bit obscure to me at first, but it says basically:
> PGPdisk does not use key derived from passphrase, just does simply this:
> if (somehash(entered_password) == stored_password_hashed) then 
> access_granted();
> That's the REPE CMPS chain instruction (string comparison). The check 
> can be simply skipped using debugger by interrupting the program, 
> changing CS:EIP (i.e. the place of execution) to resume after 
> "successful" check. The text probably implies that the key is stored 
> somewhere in the PGPdisk file and key's successful extraction does not 
> depend on knowledge of the passphrase.

  Nope.  Well, yes, the text does imply that, but the text is seriously wrong.
See my previous post for the full mechanism.  (Assuming the moderator lets it

  Given that, whatever passphrase you use, you will decrypt the EDK block and
get /something/ that looks like a key, this comparison of hashes is a sanity
test.  If you bypass it but enter the wrong passphrase, you'll get an
incorrectly-decrypted EDK, which will lead your disk to look like every sector
is full of random garbage.  Rather than decrypt the entire disk and run chkdsk
to see if it looks sane, comparing the hashes of the passphrase is a quick and
dirty way of testing if the resulting EDK is going to be the correct one.

  The author of the website did have this explained to him by someone from PGP
corp. on FD when he first reported this, but he failed to understand it, or
perhaps just refused to believe it.  Bypassing this check doesn't decrypt the

> So if you change passphrase, the disk won't get re-encrypted, just by 
> copy&pasting the old bytes you will revert to the old passphrase or you 
> can create another disk with passphrase chosen by you and use 
> copy&pasting method to decrypt other PGPdisk protected with passphrase.

  Yes to the first one, but no to the secopnd, because when you create a disk
it will have an entirely new EDK, so replacing the header block with one from
a different disk will mean that, yes, you can enter the old passphrase, and
yes, that will pass the hash-comparison check, but the old EDK (that you
correctly decrypt with the correct passphrase) doesn't actually apply to the
encrypted data on the new disk, and the disk will look like gibberish.

Can't think of a witty .sigline today....

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list