Hypothesis: PGP backdoor (was: A security bug in PGP products?)

Wed Aug 23 22:05:57 EDT 2006

Hello.

We discussed with V. Klima about the "recent" bug in PGPdisk that 
allowed extraction of key and data without the knowledge of passphrase. 
The result is a *very*wild*hypothesis*.

Cf. http://www.safehack.com/Advisory/pgp/PGPcrack.html

Question 1: why haven't anybody noticed in three months? Why has not 
there been a serious notice about it?

According to the paper, both "standard" .pgd and self-extracting SDA 
(self-decrypting archives) are affected. Systematic backdoor maybe?

Possibilities:
1) it is a hoax. Though with very low probability. The text seems to 
include a lot of work and makes perfect sense (REPE CMPS, all the 
assembly), i.e. we suppose it is highly improbable that somebody would 
make such hoax. This can be either proven or disproven simply by 
checking the Win program using hex editor/debugger (using an already 
downloaded copy). I haven't had the time to check it yet (no Win).

2) AFAIK, Zimmerman is no longer in control of the company making PGP. 
AFAIK the company (NAI) has been bought by another group couple of years 
ago.

www.pgp.org says:

"
2002/03/08 - NAI drops PGP Desktop
2001/10/15 - NAI to sell PGP division
"

It may be therefore quite possible that NSA/CIA/FBI/etc. couldn't force 
Zimmerman to compromise his own product directly, so they have bought 
the company. The backdoor might have been introduced in the latest 
releases (e.g. 8.x, 9.x).

3) there was a lazy programmer, or a programmer-infiltrator from the 
ranks of intelligence services. What does one do when a cryptosystem 
seems unbreakable? He circumvents it. AFAIK the code has been checked 
many times in NAI, until some point in time.

As you all probably know, there has been a lot of mischief around 
Zimmerman and PGP in the '90-ties. We don't think NSA/CIA/FBI/etc would 
"just give up without fight". You know, the "three-line PERL RSA 
implementations on T-shirts" and so on.

Code of PGPdisk 9.x looks like this according to the paper: when the 
passphrase is changed, the key itself remains untouched. If at least the 
encryption key has been encrypted by a symmetric key generated e.g. by 
PBDFK2 from the passphrase.

----
Conclusion: it seems that NSA/CIA/FBI/etc. haven't called truce. 
Thought, very clever solution. Nevertheless, nothing we haven't had 
already seen in 1st/2nd world war tactics.

What do you think? Your input is welcome.

OM

P.S. sorry for any misspellings of names

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com