Hypothesis: PGP backdoor (was: A security bug in PGP products?)
Ondrej Mikle
ondrej.mikle at gmail.com
Wed Aug 23 22:05:57 EDT 2006
Hello.
We discussed with V. Klima about the "recent" bug in PGPdisk that
allowed extraction of key and data without the knowledge of passphrase.
The result is a *very*wild*hypothesis*.
Cf. http://www.safehack.com/Advisory/pgp/PGPcrack.html
Question 1: why haven't anybody noticed in three months? Why has not
there been a serious notice about it?
According to the paper, both "standard" .pgd and self-extracting SDA
(self-decrypting archives) are affected. Systematic backdoor maybe?
Possibilities:
1) it is a hoax. Though with very low probability. The text seems to
include a lot of work and makes perfect sense (REPE CMPS, all the
assembly), i.e. we suppose it is highly improbable that somebody would
make such hoax. This can be either proven or disproven simply by
checking the Win program using hex editor/debugger (using an already
downloaded copy). I haven't had the time to check it yet (no Win).
2) AFAIK, Zimmerman is no longer in control of the company making PGP.
AFAIK the company (NAI) has been bought by another group couple of years
ago.
www.pgp.org says:
"
2002/03/08 - NAI drops PGP Desktop
2001/10/15 - NAI to sell PGP division
"
It may be therefore quite possible that NSA/CIA/FBI/etc. couldn't force
Zimmerman to compromise his own product directly, so they have bought
the company. The backdoor might have been introduced in the latest
releases (e.g. 8.x, 9.x).
3) there was a lazy programmer, or a programmer-infiltrator from the
ranks of intelligence services. What does one do when a cryptosystem
seems unbreakable? He circumvents it. AFAIK the code has been checked
many times in NAI, until some point in time.
As you all probably know, there has been a lot of mischief around
Zimmerman and PGP in the '90-ties. We don't think NSA/CIA/FBI/etc would
"just give up without fight". You know, the "three-line PERL RSA
implementations on T-shirts" and so on.
Code of PGPdisk 9.x looks like this according to the paper: when the
passphrase is changed, the key itself remains untouched. If at least the
encryption key has been encrypted by a symmetric key generated e.g. by
PBDFK2 from the passphrase.
----
Conclusion: it seems that NSA/CIA/FBI/etc. haven't called truce.
Thought, very clever solution. Nevertheless, nothing we haven't had
already seen in 1st/2nd world war tactics.
What do you think? Your input is welcome.
OM
P.S. sorry for any misspellings of names
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list