Undocumented Bypass in PGP Whole Disk Encryption

A non-mouse Coward writes "PGP Corporation's widely adopted Whole Disk Encryption product apparently has an encryption bypass feature that allows an encrypted drive to be accessed without the boot-up passphrase challenge dialog, leaving data in a vulnerable state if the drive is stolen when the bypass feature is enabled. The feature is also apparently not in the documentation that ships with the PGP product, nor the publicly available documentation on their website, but only mentioned briefly in the customer knowledge base. Jon Callas, CTO and CSO of PGP Corp., responded that this feature was required by unnamed customers and that competing products have similar functionality."

Fine by me..

... choose a different product. This also is against their product description so report them to trading standards and demand refunds. What about Seagate Momentus FDE drives? DO they have a bypass also?

Re:Fine by me..

RTFA or at least TFComments (though that might be difficult in your rush to be first post). As many have pointed out, to turn on the feature, you have to already get past the encryption. It's not a "backdoor" in any sense. Someone who doesn't already know the passphrase can't use it to get access to the drive. Plus, this feature is turned off by default so the user has to actively enable it. You enter the passphrase, reboot the computer and on THAT boot, it doesn't ask you for a passphrase. Next reboot it does.

This actually DOES sound like a very good feature and I would hope other products have it, too. Wish the editors would RTFA, too...

Re:Fine by me..

Or someone or something on the machine has to convince PGP that the user has actively enabled it.

And that "someone or something" has to already know the encryption passphrase to do this. Please think these things through.

Re:Fine by me..

They also just lost credibility.

Oh, I don't know. From the start, all the promised was Pretty Good Privacy. Not like Fort Knox, more like a combination padlock on an open-backed locker.

I find myself wishing more and more that Phil Zimmerman hadn't sold to NAI.

Does GPG have a full-disk mode? I think I could trust something with open source and reliable software freedom.

There was GPGDisk

The GPG program that you download doesn't do full-disk encryption; it's pretty purely a file/stream encryption program. I suppose you could use it for disk encryption, by streaming data through it on its way to and from a device, but that's not how it's normally used.

There is/was a program around that used GPG to do FDE, called GPGDisk. I'm not sure whether it used your installed copy of GPG to do the heavy lifting, or if it just included the same code, or worked using the same algorithms but had its own totally separate crypto engine. It was reasonably popular for a while, but I think a lot of people who were using it have now switched to TrueCrypt.

However, GPGDisk did offer some unique features, like the ability to encrypt a disk using a GPG key, and some fairly fine-grained access controls that you could set up for multiple users (IIRC). Every once in a while someone will mention it on the comments on Bruce Schneier's blog, so apparently it's still getting some use. But it doesn't offer some of the neater features that TrueCrypt does, like plausible deniability or containers-in-containers, I don't believe.

Re:Fine by me..

What, only one referance to Phil Zimmermann? [philzimmermann.com] One of the main reasons Philip Zimmermann created Pretty Good Privacy in 1991 was because of the US government wanting to install backdoors in encryption software.

"Unnamed Customers"

How much do you want to bet that "unnamed customers" are synonymous with "various federal and state police agencies, DOD, and NSA"?

Takers?

Re:"Unnamed Customers"

How much do you want to bet that "unnamed customers" are synonymous with "various federal and state police agencies, DOD, and NSA"?

From TFA, those "unnamed customers" are companies that have the need to remotely reboot their machines. This feature is NOT a backdoor - it merely allows someone WHO ALREADY HAS WRITE ACCESS TO THE ENCRYPED DRIVE (i.e. someone who has already given the passphrase) to grant a one-time certificate that permits a reboot without asking for the passphrase again. The major risk here is that someone will rob your store during the 60 seconds it takes to reboot over the phone, a possible, but highly unlikely scenario.

Re:Fine by me..

They shall now be treated as DISHONEST. Lets hope their unnamed big customer can afford to keep PGP in business as they lost mine. They can pay for my business PGP lost. Lets hope they are actually big enough.

From everything that's been said, it seems that the worst that PGP can be accused of is not making clear the security implications of a feature that should have been better documented. And that's arguably quite bad- the worst case is a clueless user turning it on and feeling more protected than they should.

However, the feature isn't enabled by default. It requires cryptographic access *and* knowledge of its existence to turn it on. And if you already have cryptographic access, then the whole issue is academic.

You pompously declaring it "DISHONEST" in capital letters smacks of the typical random-geek's kneejerk first post on a messageboard thread. And FWIW, I don't know how much your oh-so-important business with them is worth anyway; I suspect that the other client probably *was* worth more. (Of course, it's quite plausible that the views of *many* smaller clients who disliked the feature would be a serious counterweight. However, if you're going to act like your *individual* view carries so much weight, expect scepticism).

Interesting...

Having replaced laptop motherboards for Raytheon that had the pgp whole disk encryption and asking them if there was a way around it to check the os and their response being there is no way around it, I wonder "who" the unnamed customer was?

unnamed customers

Maybe they were unnamed because there is No Such Agency?

And People Wonder Why Open Source!

When it comes to encryption it is exactly for this reason why I use the "clunky", "hard to configure", "no GUI" Open Source!

I know what I have, and what I get, and what others cannot get... Not that I have anything to hide. Just that I like my privacy.

Re:unnamed customers

A backdoor that's documented, although poorly, that you can disable and requires access to the unencrypted disk beforehand? If it were the NSA they wouldn't have allowed it to be documented and you couldn't disable. However, I can think of several large corporations that would require something like this and would have contracts large enough to justify changing the product for. Paranoia doesn't seem to be justified in this case.

Huh?

"encryption bypass" ?

That basically turns the entire thing into a physiological magic trick.

unnamed

unnamed customers? there's no such agency.

closed source encryption software??!!

Come on, why would you even consider using such a thing?

PGP Does Open Source for Peer Review

But ... PGP has a peer review, open-source process [pgp.com]. They're just a commercial product, too. [In other words, it violates the terms of service for you to compile their source code and use it without licensing it.]

Re:closed source encryption software??!!

Come on, why would you even consider using such a thing?

Because the source is available [pgp.com] without cost, you just fill out a form, and then you can download it. It's not free software, but the source is not a secret either.

The only people to enable would know about it

And if anyone else can enable it, then they already have access to your computer anyway.

Did anyone read the response?

Seriously, customers require this so IT staff can do remote support and reboot the machine remotely. It is only enabled for one reboot, and you must have cryptographic access to enable this feature. The only threat is if someone where to enable this, not reboot, and then have the machine stolen.

Why does crap like this make it to the front page of Slashdot?

Re:Did anyone read the response?

They do have access to the keys. That's the point.

They need to do unattended automated reboots of thousands of computers. These are enterprise customers.

They have the encryption key, and they want to apply security updates and reboot the computers. When the employees come to work in the morning, they expect the computers to be on and operational, as they left it.

If you don't use the feature, then it poses no risk. If you need to apply unattended updates to computers on a large scale, going to each computer and typing in the passphrase is not practical.

This is a non-issue, and a FUD article. You need to have UNLOCKED access to the encrypted volume to enable this feature.

Normal users using PGPDisk and not using this feature are at no greater risk for it existing.

Re:Did anyone read the response?

No, there isn't. There are stories that only make it into category pages, like Games or Apple, but don't make it to the front page that everyone sees.

to put out some of the flames

from the response:

"We call it a passphrase bypass because that is what it is. It is a dangerous, but needed feature. If you run a business where you remotely manage computers, you need to remotely reboot them."

and

"You cannot enable the feature without cryptographic access to the volume. If you do not have it enabled, you are not affected, either. I think this is an important thing to remember. Anyone who can enable the feature can mount the volume. It is a feature for manageability, and that's often as important as security, because without manageability, you can't use a security feature."

makes pretty good sense to me

Re:to put out some of the flames

Also, from his wording, it sounded like it is not enabled by default. In other words, you can actively choose to sacrifice a bit of security in order to make it work properly in your environment. Sounds like a nice feature to me.

Re:to put out some of the flames

You're missing the point!

Yes, it is a nice(TM) feature and might be useful, but that is not the problem.

The problem is that the feature is fricking undocumented. There is absolutely no way to know it is there and how to look out for it. It also means that you can't just know how many of these backdoors are in there. Is it only the first undocumented backdoor ? How many more of the convenience features are in there by customer demand ? How do they affect me ?

When it comes to security software or hardware any and all undocumented features are BUGS! It's a principle, not a convenience!

Unlikely to be telling the truth

A customer with enough volume to demand such a 'feature' (myself I prefer to call it a bug) surely can justify the addition of a compilation flag as oppose to incorporating into general release. I am incline to think it's more likely to be brown nosing the current US administration.

We all knew it was over

When Phil sold out and went commercial with PGP. He may have saved face by leaving shortly thereafter, but it was too late. With monied interests involved, everyone knew the product's integrity was in question from the first day of the announcement. This just proves that you cannot trust a proprietary product for something as important as encryption.

What's the point?

What is the point of encrypting the drive if it's automatically decrypted? (ie. the key would be stored plaintext somewhere on the drive) I just can't figure that out.

I don't like PGP in any case. I never have because all their stuff is proprietary. S/MIME, ASN.1, etc are all full blown public standards that do the things PGP does except using open interoperable widely adapted standards.

Heh

"We are not the only maNufacturer to have Such a feature -- All the major people do, because our customers require it of us.

What's the big deal?

Its not enabled by default, its a feature that makes sense for servers that sit in a datacenter or a remote location. The PGP exec is correct, other full-disk encryption vendors offer similar features. Its not some sort of evil backdoor for Phil Zimmerman to come laugh at your paltry collection of porn.

Poster got it wrong (again)

As usual, the poster got it wrong. It is not a "backdoor", and if the poster had actually read the response from PGP he would have realized that in order to use this, you already need to know the cryptographic passphrase, AND that it is only good for a single reboot. This is required for remote administration. What are the chances that someone will be sitting by the computer, just waiting for it to reboot so they can steal the disk drive? Because that is essentially the only way for this to be exploited.

Is the bypass on or off by default?

According to TFA, the feature is off by default. To enable it, you must know the password. If someone else knows your password, you're screwed already. Why is this a big deal? I guess being undocumented makes it a bit shady, but the article doesn't say how long the feature has existed. It could simply be new. Anyone have better info?

Come on, RTFA...

This isn't a back door or some secret agenda by some shadowy government agency. It is simply an IT tool to allow remote access to the machine. It is enabled ONCE and you must have cryptographic access to the machine in order to enable it. It is NOT enabled by default, it is a conscious decision to enable the feature made ONLY WHILE you have authorized cryptographic access. Once the machine is rebooted your back to normal.

The OP made it sound more ominous than needed when he said "unnamed customers". Why is everything on Slashdot a giant consipracy??

RTFA.

Truth in Advertising

Pretty Good Privacy. I'd rather have Absolutely Fucking Bulletproof Privacy.

Many products allow disabling preboot auth

There is an inherent flaw with many of the commercial laptop full-disk encryption solutions out there. I have the most experience with Utimaco's Safeguard Easy, but I know many of the other big players have the same fault -

The software has a feature called "Pre-boot Authentication", by which the encryption software is loaded after the bios, but before the (generally Windows) operating system. The user's password is used to generate the decryption key, so theorhetically not even the NSA could decrypt the laptop without the user's password.

Here's the flaw - the software has a checkbox to disable Pre-boot authentication. What this does is generate a default user with a random password, and then store this random password obfuscated but in clear-text in the same disk area decryption software. When you talk to the sales-people, they sell this as a feature, in fact about half of Utimaco's customers (so I'm told) run it in this mode because the encryption becomes transparent and it is much less intrusive on the user. (Basically the disk is automatically decrypted each time the laptop is booted, but you have to have a valid Windows login to get in.) Buried in the help documentation are warnings "For security reasons, you should Never disable pre-boot authentication". So the engineers and the company know the weakness of disabling pre-boot authentication, but they don't tell their customers when they sell the software.

Today it seems to break into these laptops with pre-boot authentication disabled you would need somewhat sophisticated tools and techniques, basically the same tools and techniques people commonly use to "crack" commercial software today. But I'm guessing that it won't be very long before someone takes the time to build this crack and releases it, rendering the laptop encryption useless to anyone who can Google for "Utimaco Crack", etc. Basically all the crack would need to do is grab the default user's password off the disk and use or duplicate the decryption algorithms that are also in clear-text on the disk.

I've talked to a number of IT security folks, and basically it seems like most people trust the sales folks and don't understand that its basically impossible to have strong encryption without having the decryption key stored off the disk (like on a smart card, or in the brain of the user.)

Re:Many products allow disabling preboot auth

We use Utimaco SafeGuard Easy and we also bypass pre-boot authentication (PBA).

The problem is a company may have thousands of laptops in the wild and Active Directory passwords that expire every 90 days. Because the PBA credentials aren't integrated with AD that means you have a nightmare password management situation. Utimaco does provide a server to try to alleviate this problem, but it's still a major management pain.

It's true that by default the PBA bypass key gets stored obfuscated but in plain text on the hard drive if you bypass PBA. But if you have a modern computer with a trusted platform module (TPM) you can configure SafeGuard Easy to store the key there. You can also bind the hard drive to that particular TPM chip so that it is unaccessible if attached to another computer.
http://americas.utimaco.com/safeguard_easy/manual_v430/1-245.html [utimaco.com]

PGP corp

PGP is a hilarious company, these days. My company was going to do some consulting work for them, and they announced that we could not work with them unless we complied with their security "policy." We thought it would be no problem--our security is some of the best in the industry.

We read their "policy" and started laughing, however. It isn't a policy so much as a standard, which explicitly requires all computers run PGP Whole Disk Encryption. No other form of data protection is acceptable.

I'm inclined to send this message back to them and include "piss off" in my reply, but I don't know how much the potential contract was worth. But any way you look at it, PGP corp is a joke these days.

the name of the product tells it all

If people wanted Really Good Privacy, they should have purchase encryption from a company called RGP, not Pretty Good Privacy.

Seth

TrueCrypt and GPG

As others have said, some parts of the U.S. government has become completely lawless. The government is requiring access and requiring that access be kept secret. The Bush administration has become a dictatorship. I think U.S. citizens should demand impeachment and that Cheney and the Decider be tried for treason. Why should the really big criminals be allowed to break the law?

My experience of whoever it is who sells PGP is that there are other issues about they way they do business, too.

That's why open source encryption is so important. TrueCrypt [truecrypt.org] supports Windows and Linux. Supports encrypted devices and encrypted folders, including hidden folders.

To encrypt a file, use the free open source Gnu Privacy Guard [gnupg.org].

They can't do whole hard disk encryption, but they are at least honest.

Which full disk encryption to use?

So which full disk encryption software does Slashdot recommend? Preferably FOSS and available for *Nix and Windows.

Password recovery should be possible..?

So clearly the encryption system records the running password somewhere outside the encrypted volume if the auto-reboot is selected. One would assume that, upon reboot, the password gets overwritten.

We are constantly told that data that's only overwritten once on a magnetic drive is recoverable. So, if one could figure out which section of the drive gets the password written to it (an easy enough exercise given that the boot code that mounts the encrypted volume is in a fixed location and largely static) then one could steal a laptop and, assuming it had been auto-rebooted once before in its life, potentially recover the entire drive contents.

Beyond the capabilities of your average evil-doer but certainly possible.

Obviously...

There is No Such Customer (NSC).

Don't worry, Vista is easier to crack

Seriously, it seems to me that this "loophole" just isn't.

Vista Bitlocker on the other hand, is not worth the disk space it consumes.

I have it on good authority from someone in the know (as in, it is in his job description) that cracking Bitlocker is easy. There is actually a course on "opening" bitlocked volumes, if you move in the right circles (think police forensics)

For my money I'd rather just use a good open source package.

unnamed customers???

Hmm, the FBI paid them for having this backdoor?

1. if i have a real (paying) customer who needs this, i will supply them (and only them) with a customised version.
2. or i fully document the feature.

What they're telling us

So what they're saying is "Sorry you thought our product was secure. However, it's as least as secure as everybody else".

Where did you get your information?

I don't understand what this post is about. This feature is fully documented on PGP's support website for customers. Saying this is only for big companies is not true in the least. On top of this you must know the password of the drive to even implement this feature. How is it a security risk? Your security is only as strong as your end user in this kind of scenario. An end user could just as easily give someone their password. We need to be careful in the security world when making allegations like this before knowing the truth. If you own a PGP product and have a support contract you can view the documentation here. http://support.pgp.com/ [pgp.com]

Marketing Drone Failure

That's right, this is a serious failure of the marketing department to upsell people on the more expensive version along with the support contracts. Damn idiots. List this as a feature that's desirable and as an SMB I might even be interested in going for the more expensive version to gain access to the feature that allows me to more easily enforce disk encryption policies but no they didn't see this and thus it becomes a marketing debacle and people now wonder if they're not willing to document it and use it as a marketing point (Upsell you damn salespeople), then it becomes a backdoor into the computer. Who are these unnamed customers who demanded such a feature? NSA? CIA? Mossad? M6? God damn Microsoft? RIAA? It all boils down to perception and they screwed the porch royally on this one when a little creative marketing could have upsold more people on the more expensive product.

Now folks will question the integrity of the product and they've now got a potential liability issue on their hands because as sure as the sun rises in the west, some lawyer will figure out how to use this to shift the blame for the loss of employee/customer data that should have been encrypted that wasn't.

PGP Bypassed

All I have to say is that my past experience with a big cooperation within IT it was possible to bypass PGP. But thats all I can really say about that.

Even worse than that

I heard the software also lets you uninstall PGP. That would leave your disk WIDE OPEN. And they call that security. HAHAHA. What a piece of crap software. I hope PGP burns in hell.

sooo lesseee

I'm working for secure-co ..supposedly I work on my own secret project, but
my boss has secret info that I want to know, but he always logs off when
ever he leaves...

One day when my boss is gone, I see his laptop
turn off automatically ..ahh...I seize the opportunity. ..I quickly unplug the network and remove the hard drive...boom I've
got his info without anyone knowing, and better yet..no one is even around
because it's all done remotely. I steal the data, and recheck the automatic
authentication, and reconnect it back to the network and turn it
off....quietly slip out of the room..

Note...I never had to have access to his password..I just know that an
automatic reboot, means vulnerability.

kdawson

...is that you?b

is this unexpected?

the NSA requires backdoor access to all major operating systems and encryption products.

Unnamed Customers.....

Hmmmmm.....

I'll bet that "Unnamed Customers" means Big Brother and his minions.

Did you read the article?

Did you read the article or any of the comments before posting that?

Didn't think so...

Why is he modded down?

This backdoor took a bit of time to figure out. The simple fact is that if I buy a product, I expect it it work correctly, in particular, I expect it to work as advertised. PGP says that your data is encrypted and safe. Obviously, it is not.

Re:Why is he modded down?

Because he failed to read the article correctly.

There isn't a backdoor. If you encrypt your hard drive, then lose it, nobody can read it.

If on the other hand, if you've encrypted your boot disk, and you want to remotely reboot your machine, you're going to need someway to feed the password to it before it can bring up the OS (and the networking layer).

This feature allows you to store a password for 1 time use. Then you reboot the machine, and when it comes up, it reads the password and erases it.

It's a useful feature. Doesn't effect you if you don't use it. Even if you do use it, you'd have to set the password then forget to reboot for it to be a problem.

Basically this whole story is a non-issue. The moderation on the grandparent is a reflection of his failure to reason through this.

Re:PGP or not so PGP?

If you RTFA you'd see this feature is needed for anyone who remotely-boots their encrypted drive. The feature is not a backdoor - it has to be enabled by someone with cryptographic access to the drive, and it only works once per setting - reboot, and it's disabled. The only way this could be a security issue is if it's enabled, and before the drive boots up again, the drive is stolen. Features like this are needed, as without them, the drive is useless for remote management, and people won't use encryption, which is obviously far more insecure than having this feature and using it correctly.

Jon *did* call it "dangerous"

Yeah, it's a potentially dangerous feature - but some customers want it anyway, and at least PGP implemented it in a way that's less dangerous than it could have been. I'd have preferred to see some additional hardware involved, e.g. require input from a USB dongle or successful DHCP hit or something in addition to the disk-stored info, but it's hard to get that to work portably and reliably.

Re:There's a word for that.

Oh please. Wish people would STFU about 'I can read the source, and know it's safe.' At best, it's a wrong statement. Who reads the source to everything they put on their system? Nobody, you just trust other people to look at it for you. Open source gives more the code more eyes to look at it, but wording it in such a way that makes it sound like you read every line so you know it's safe? Bullshit.