Undocumented Bypass in PGP Whole Disk Encryption

A non-mouse Coward writes "PGP Corporation's widely adopted Whole Disk Encryption product apparently has an encryption bypass feature that allows an encrypted drive to be accessed without the boot-up passphrase challenge dialog, leaving data in a vulnerable state if the drive is stolen when the bypass feature is enabled. The feature is also apparently not in the documentation that ships with the PGP product, nor the publicly available documentation on their website, but only mentioned briefly in the customer knowledge base. Jon Callas, CTO and CSO of PGP Corp., responded that this feature was required by unnamed customers and that competing products have similar functionality."

unnamed customers

[underwhelm (53409)]

Maybe they were unnamed because there is No Such Agency?

And People Wonder Why Open Source!

[SerpentMage (13390)]

When it comes to encryption it is exactly for this reason why I use the "clunky", "hard to configure", "no GUI" Open Source!

I know what I have, and what I get, and what others cannot get... Not that I have anything to hide. Just that I like my privacy.

Re:

[spottedkangaroo (451692)]

For now anyway.

If people complete various "hard" problems on quantum computers then the non-people at the NSA can probably afford to throw two billion (or whatever) at it to crack ALL MODERN ENCRYPTION that doesn't use quantum devices for keys.

Re:

[Cheesey (70139)]

When it comes to encryption it is exactly for this reason why I use the "clunky", "hard to configure", "no GUI" Open Source!

Ah, but that's not necessarily a defence against the NSA! Their backdoors might not be hidden in closed source binaries, or in obfuscated source code, or in your CPU hardware, or even injected covertly by your copy of GCC when it recognises encryption code. They might be mathematical backdoors, hidden inside well-known ciphers that are generally thought to be secure. There's the old st

Re:

[VENONA (902751)]

You sending people off to this reference would seem to indicate that you don't think anyone will read more than the first bits.
http://en.wikipedia.org/w/index.php?title=Data_Encryption_Standard&oldid=161828931 [wikipedia.org], so the Wiki article is versioned.

I guess it all depends upon whether you think factoring large numbers is a hard problem, whether special cases might exist, whether huge amounts of investment dollars matter, etc. From there you make your own call about whether or not to go all elliptical (another

Re:

[wikinerd (809585)]

I like my privacy.

Will be made illegal very soon :(

Re:unnamed customers

[moderatorrater (1095745)]

A backdoor that's documented, although poorly, that you can disable and requires access to the unencrypted disk beforehand? If it were the NSA they wouldn't have allowed it to be documented and you couldn't disable. However, I can think of several large corporations that would require something like this and would have contracts large enough to justify changing the product for. Paranoia doesn't seem to be justified in this case.

Re:

[moderatorrater (1095745)]

But it does mean that this is not that door. As mentioned elsewhere in this article, under no circumstances should you trust information that you want to be secret to a closed program/algorithm.

Random Example Bank or Retail would want this

[billstewart (78916)]

It looks very much like the kind of feature that a random bank or retail store would want - if the power goes out at a store, you want the system to be able to come back up and run the cash registers even though there's nobody technical enough to trust to press the "reboot" button much less connect a console and type in passwords.

If you RTFA, you'll see that it's a feature that you can only turn on if you've already got access to the disk, and PGP did it so it only works once.

Huh?

[CoffeeIsMyGod (1136809)]

"encryption bypass" ?

That basically turns the entire thing into a physiological magic trick.

Re:

[CoffeeIsMyGod (1136809)]

What, read the article? I'm confused. Isn't this /. ?

The only people to enable would know about it

[by Anonymous Coward]

And if anyone else can enable it, then they already have access to your computer anyway.

Did anyone read the response?

[duplicate-nickname (87112)]

Seriously, customers require this so IT staff can do remote support and reboot the machine remotely. It is only enabled for one reboot, and you must have cryptographic access to enable this feature. The only threat is if someone where to enable this, not reboot, and then have the machine stolen.

Why does crap like this make it to the front page of Slashdot?

Re:

[Ungrounded Lightning (62228)]

The only threat is if someone where to enable this, not reboot, and then have the machine stolen.

I see what is possibly another. I may enable a hole of this form:

If someone gets access to the disk or its contents before the reboot, they can clone the state of the encryption software - which will do one "unlocked" reboot. Later (up to a point where the encryption key is changed) they can shut down the machine, reapply this state, and bring it up without the password, gaining access to data that has been ad

Re:Did anyone read the response?

[Lothsahn (221388)]

They do have access to the keys. That's the point.

They need to do unattended automated reboots of thousands of computers. These are enterprise customers.

They have the encryption key, and they want to apply security updates and reboot the computers. When the employees come to work in the morning, they expect the computers to be on and operational, as they left it.

If you don't use the feature, then it poses no risk. If you need to apply unattended updates to computers on a large scale, going to each computer and typing in the passphrase is not practical.

This is a non-issue, and a FUD article. You need to have UNLOCKED access to the encrypted volume to enable this feature.

Normal users using PGPDisk and not using this feature are at no greater risk for it existing.

Re:

[Mister Whirly (964219)]

You had better pack a small bag and go. THEY are already on THEIR way to your house as I type this. GO! NOW!

Re:Did anyone read the response?

[chill (34294)]

No, there isn't. There are stories that only make it into category pages, like Games or Apple, but don't make it to the front page that everyone sees.

Re:

[Chibi Merrow (226057)]

With propretary software, there's no way to know. It could have any number of malicious or ill-conceived/insecure features. Why risk it?

Because a backdoor can just as easily be slipped into open source software, if not more easily since everyone's assuming "Oh it's open, someone else is looking for backdoors." On top of that, when things go south there's no one to point the finger at and no one to go to for support.

Look at all the security flaws that have popped up in Firefox over the past two years that co

to put out some of the flames

[trybywrench (584843)]

from the response:

"We call it a passphrase bypass because that is what it is. It is a dangerous, but needed feature. If you run a business where you remotely manage computers, you need to remotely reboot them."

and

"You cannot enable the feature without cryptographic access to the volume. If you do not have it enabled, you are not affected, either. I think this is an important thing to remember. Anyone who can enable the feature can mount the volume. It is a feature for manageability, and that's often as important as security, because without manageability, you can't use a security feature."

makes pretty good sense to me

Re:to put out some of the flames

[MalleusEBHC (597600)]

Also, from his wording, it sounded like it is not enabled by default. In other words, you can actively choose to sacrifice a bit of security in order to make it work properly in your environment. Sounds like a nice feature to me.

Re:to put out some of the flames

[mritunjai (518932)]

You're missing the point!

Yes, it is a nice(TM) feature and might be useful, but that is not the problem.

The problem is that the feature is fricking undocumented. There is absolutely no way to know it is there and how to look out for it. It also means that you can't just know how many of these backdoors are in there. Is it only the first undocumented backdoor ? How many more of the convenience features are in there by customer demand ? How do they affect me ?

When it comes to security software or hardware any and all undocumented features are BUGS! It's a principle, not a convenience!

Re:

[Rogerborg (306625)]

Calm down, Sparky. It's documented to their customers, i.e. the people who actually need to know about it.

Heh

[jayhawk88 (160512)]

"We are not the only maNufacturer to have Such a feature -- All the major people do, because our customers require it of us.

Re:

[ch0ad (1127549)]

"We are not the onlY manufacturer tO have sUch a feature -- All the major people do, because our cusTomers requIre iT of us."

Many products allow disabling preboot auth

[bongk (251028)]

There is an inherent flaw with many of the commercial laptop full-disk encryption solutions out there. I have the most experience with Utimaco's Safeguard Easy, but I know many of the other big players have the same fault -

The software has a feature called "Pre-boot Authentication", by which the encryption software is loaded after the bios, but before the (generally Windows) operating system. The user's password is used to generate the decryption key, so theorhetically not even the NSA could decrypt the laptop without the user's password.

Here's the flaw - the software has a checkbox to disable Pre-boot authentication. What this does is generate a default user with a random password, and then store this random password obfuscated but in clear-text in the same disk area decryption software. When you talk to the sales-people, they sell this as a feature, in fact about half of Utimaco's customers (so I'm told) run it in this mode because the encryption becomes transparent and it is much less intrusive on the user. (Basically the disk is automatically decrypted each time the laptop is booted, but you have to have a valid Windows login to get in.) Buried in the help documentation are warnings "For security reasons, you should Never disable pre-boot authentication". So the engineers and the company know the weakness of disabling pre-boot authentication, but they don't tell their customers when they sell the software.

Today it seems to break into these laptops with pre-boot authentication disabled you would need somewhat sophisticated tools and techniques, basically the same tools and techniques people commonly use to "crack" commercial software today. But I'm guessing that it won't be very long before someone takes the time to build this crack and releases it, rendering the laptop encryption useless to anyone who can Google for "Utimaco Crack", etc. Basically all the crack would need to do is grab the default user's password off the disk and use or duplicate the decryption algorithms that are also in clear-text on the disk.

I've talked to a number of IT security folks, and basically it seems like most people trust the sales folks and don't understand that its basically impossible to have strong encryption without having the decryption key stored off the disk (like on a smart card, or in the brain of the user.)

Re:Many products allow disabling preboot auth

[foo fighter (151863)]

We use Utimaco SafeGuard Easy and we also bypass pre-boot authentication (PBA).

The problem is a company may have thousands of laptops in the wild and Active Directory passwords that expire every 90 days. Because the PBA credentials aren't integrated with AD that means you have a nightmare password management situation. Utimaco does provide a server to try to alleviate this problem, but it's still a major management pain.

It's true that by default the PBA bypass key gets stored obfuscated but in plain text on the hard drive if you bypass PBA. But if you have a modern computer with a trusted platform module (TPM) you can configure SafeGuard Easy to store the key there. You can also bind the hard drive to that particular TPM chip so that it is unaccessible if attached to another computer.
http://americas.utimaco.com/safeguard_easy/manual_v430/1-245.html [utimaco.com]

Which full disk encryption to use?

[Aminion (896851)]

So which full disk encryption software does Slashdot recommend? Preferably FOSS and available for *Nix and Windows.

unnamed customers???

[someone1234 (830754)]

Hmm, the FBI paid them for having this backdoor?

1. if i have a real (paying) customer who needs this, i will supply them (and only them) with a customised version.
2. or i fully document the feature.

Re:PGP or not so PGP?

[dave420 (699308)]

If you RTFA you'd see this feature is needed for anyone who remotely-boots their encrypted drive. The feature is not a backdoor - it has to be enabled by someone with cryptographic access to the drive, and it only works once per setting - reboot, and it's disabled. The only way this could be a security issue is if it's enabled, and before the drive boots up again, the drive is stolen. Features like this are needed, as without them, the drive is useless for remote management, and people won't use encryption, which is obviously far more insecure than having this feature and using it correctly.

Jon *did* call it "dangerous"

[billstewart (78916)]

Yeah, it's a potentially dangerous feature - but some customers want it anyway, and at least PGP implemented it in a way that's less dangerous than it could have been. I'd have preferred to see some additional hardware involved, e.g. require input from a USB dongle or successful DHCP hit or something in addition to the disk-stored info, but it's hard to get that to work portably and reliably.

Re:Fine by me..

[illegalcortex (1007791)]

RTFA or at least TFComments (though that might be difficult in your rush to be first post). As many have pointed out, to turn on the feature, you have to already get past the encryption. It's not a "backdoor" in any sense. Someone who doesn't already know the passphrase can't use it to get access to the drive. Plus, this feature is turned off by default so the user has to actively enable it. You enter the passphrase, reboot the computer and on THAT boot, it doesn't ask you for a passphrase. Next reboot it does.

This actually DOES sound like a very good feature and I would hope other products have it, too. Wish the editors would RTFA, too...

Re:Fine by me..

[illegalcortex (1007791)]

Or someone or something on the machine has to convince PGP that the user has actively enabled it.

And that "someone or something" has to already know the encryption passphrase to do this. Please think these things through.

Re:

[illegalcortex (1007791)]

I can't believe you made such a long post about a moot point. If you social engineer someone to give you the passphrase, you don't even need to use this feature. The passphrase is the whole thing encrypting the disk. If you have the passphrase, you ALREADY GOT THE ACCESS. You don't need any fancy reboot tricks.

Re:

[illegalcortex (1007791)]

Either you still don't understand the feature, or you are willfully misinterpreting it. Once again, you must know the passphrase in order to unlock the data on the disk. If you know the passphrase, you already have access to the data on the disk, with or without this feature. Hence it is NOT a backdoor. A backdoor would mean you didn't need to know the passphrase. Knowing the passphrase is the FRONT door.

Sheesh.

Re:

[1u3hr (530656)]

I unplug your network cable and remove your hard drive, Plug your harddrive into my system..Get the data and recheck, the pre-boot authentication. Put the hard drive back into your computer. Turn it on. it continues the reboot process.. Except for the extra delay.....you never know I just got your data.

You forgot the part where you descend form the ceiling suspended by a wire harness and hang upside down while typing into the console.

With that degree of access, there are a million things you could do t

Re:Fine by me..

[idontgno (624372)]

They also just lost credibility.

Oh, I don't know. From the start, all the promised was Pretty Good Privacy. Not like Fort Knox, more like a combination padlock on an open-backed locker.

I find myself wishing more and more that Phil Zimmerman hadn't sold to NAI.

Does GPG have a full-disk mode? I think I could trust something with open source and reliable software freedom.

There was GPGDisk

[Kadin2048 (468275)]

The GPG program that you download doesn't do full-disk encryption; it's pretty purely a file/stream encryption program. I suppose you could use it for disk encryption, by streaming data through it on its way to and from a device, but that's not how it's normally used.

There is/was a program around that used GPG to do FDE, called GPGDisk. I'm not sure whether it used your installed copy of GPG to do the heavy lifting, or if it just included the same code, or worked using the same algorithms but had its own totally separate crypto engine. It was reasonably popular for a while, but I think a lot of people who were using it have now switched to TrueCrypt.

However, GPGDisk did offer some unique features, like the ability to encrypt a disk using a GPG key, and some fairly fine-grained access controls that you could set up for multiple users (IIRC). Every once in a while someone will mention it on the comments on Bruce Schneier's blog, so apparently it's still getting some use. But it doesn't offer some of the neater features that TrueCrypt does, like plausible deniability or containers-in-containers, I don't believe.

Re:Fine by me..

[pilsner.urquell (734632)]

What, only one referance to Phil Zimmermann? [philzimmermann.com] One of the main reasons Philip Zimmermann created Pretty Good Privacy in 1991 was because of the US government wanting to install backdoors in encryption software.

"Unnamed Customers"

[WED Fan (911325)]

How much do you want to bet that "unnamed customers" are synonymous with "various federal and state police agencies, DOD, and NSA"?

Takers?

Re:"Unnamed Customers"

[StrongAxe (713301)]

How much do you want to bet that "unnamed customers" are synonymous with "various federal and state police agencies, DOD, and NSA"?

From TFA, those "unnamed customers" are companies that have the need to remotely reboot their machines. This feature is NOT a backdoor - it merely allows someone WHO ALREADY HAS WRITE ACCESS TO THE ENCRYPED DRIVE (i.e. someone who has already given the passphrase) to grant a one-time certificate that permits a reboot without asking for the passphrase again. The major risk here is that someone will rob your store during the 60 seconds it takes to reboot over the phone, a possible, but highly unlikely scenario.

Re:Fine by me..

[Dogtanian (588974)]

They shall now be treated as DISHONEST. Lets hope their unnamed big customer can afford to keep PGP in business as they lost mine. They can pay for my business PGP lost. Lets hope they are actually big enough.

From everything that's been said, it seems that the worst that PGP can be accused of is not making clear the security implications of a feature that should have been better documented. And that's arguably quite bad- the worst case is a clueless user turning it on and feeling more protected than they should.

However, the feature isn't enabled by default. It requires cryptographic access *and* knowledge of its existence to turn it on. And if you already have cryptographic access, then the whole issue is academic.

You pompously declaring it "DISHONEST" in capital letters smacks of the typical random-geek's kneejerk first post on a messageboard thread. And FWIW, I don't know how much your oh-so-important business with them is worth anyway; I suspect that the other client probably *was* worth more. (Of course, it's quite plausible that the views of *many* smaller clients who disliked the feature would be a serious counterweight. However, if you're going to act like your *individual* view carries so much weight, expect scepticism).

Re:

[Racemaniac (1099281)]

well, read the other replies. apparantly it is a feature you have to enable yourself, which is useful in some cases, and is no security danger (unless you do stupid things with it). the entire story seems to be a non-issue... it's no real backdoor, just one you can enable for certain uses.

Re:Why is he modded down?

[PylonHead (61401)]

Because he failed to read the article correctly.

There isn't a backdoor. If you encrypt your hard drive, then lose it, nobody can read it.

If on the other hand, if you've encrypted your boot disk, and you want to remotely reboot your machine, you're going to need someway to feed the password to it before it can bring up the OS (and the networking layer).

This feature allows you to store a password for 1 time use. Then you reboot the machine, and when it comes up, it reads the password and erases it.

It's a useful feature. Doesn't effect you if you don't use it. Even if you do use it, you'd have to set the password then forget to reboot for it to be a problem.

Basically this whole story is a non-issue. The moderation on the grandparent is a reflection of his failure to reason through this.

Re:

[king-manic (409855)]

As others have said, some parts of the U.S. government has become completely lawless. The government is requiring access and requiring that access be kept secret. The Bush administration has become a dictatorship. I think U.S. citizens should demand impeachment and that Cheney and the Decider be tried for treason. Why should the really big criminals be allowed to break the law?

I keep hearing that the 2nd amendment would help in this situation but I haven't noticed any militias storming the local branch of

Why is it necessary to have two passwords?

[Futurepower(R) (558542)]

I don't understand that argument. Why is it necessary to have two passwords? An organization must have a database of user passwords, correct? A user may call and say he lost his password.

The only reasons I can imagine for having two passwords are convenience for IT, when they aren't fully automated, and secret government surveillance.

An organization with 1,000 users must manage 1,000 passwords, anyway.

What happens in an organization when a member of the IT staff leaves? The IT access special passwo

PGP Does Open Source for Peer Review

[A non-mouse Coward (1103675)]

But ... PGP has a peer review, open-source process [pgp.com]. They're just a commercial product, too. [In other words, it violates the terms of service for you to compile their source code and use it without licensing it.]

Re:

[by Anonymous Coward]

uhh, if you new anything about PGP you would know that all the source is published. If you have a remote office without local IT staff this feature makes sense. Every month you have to patch your windows servers, most of these patches require a reboot and if this feature didn't exist you would have to send someone out to type in a passphrase making remote administration impossible. Anyways the use case that the original article envisions is ludicrous. If you have rooted the box with a trojan you have ac

Re:closed source encryption software??!!

[OfficeSupplySamurai (1130593)]

Come on, why would you even consider using such a thing?

Because the source is available [pgp.com] without cost, you just fill out a form, and then you can download it. It's not free software, but the source is not a secret either.

Re:

[dgatwood (11270)]

This is not uncommon, though the lack of documentation is.... Most such encryption products offer the ability to specify a master encryption key across an organization. The way that works is that your individual crypto key protects a copy of the drive-specific crypto key, which then protects the drive. The company you work for has a master crypto key which is also used to encrypt the drive-specific crypto key. (Usually the latter part is done with PK crypto so the employee can only encrypt contents with

This is how it works

[illegalcortex (1007791)]

Okay, so let me explain why I'm telling you the software doesn't work like this. Here's the key thing to remember: the pre-boot lockout is not the thing protecting data on the disk.

Here's a scenario:
1) Install PGP and encrypt the drive.
2) Reboot
3) Turn on the bypass for the next reboot
4) Shutdown
5) Remove the drive and stick it (or copy of the drive) in another computer as a secondary drive
6) Try to access the drive

From your posts, it appears you think you'll see all the files. The simple fact is that you