Undocumented Bypass in PGP Whole Disk Encryption

A non-mouse Coward writes "PGP Corporation's widely adopted Whole Disk Encryption product apparently has an encryption bypass feature that allows an encrypted drive to be accessed without the boot-up passphrase challenge dialog, leaving data in a vulnerable state if the drive is stolen when the bypass feature is enabled. The feature is also apparently not in the documentation that ships with the PGP product, nor the publicly available documentation on their website, but only mentioned briefly in the customer knowledge base. Jon Callas, CTO and CSO of PGP Corp., responded that this feature was required by unnamed customers and that competing products have similar functionality."

Re:PGP or not so PGP?

[dave420]

If you RTFA you'd see this feature is needed for anyone who remotely-boots their encrypted drive. The feature is not a backdoor - it has to be enabled by someone with cryptographic access to the drive, and it only works once per setting - reboot, and it's disabled. The only way this could be a security issue is if it's enabled, and before the drive boots up again, the drive is stolen. Features like this are needed, as without them, the drive is useless for remote management, and people won't use encryption, which is obviously far more insecure than having this feature and using it correctly.

Re:Fine by me..

[illegalcortex]

RTFA or at least TFComments (though that might be difficult in your rush to be first post). As many have pointed out, to turn on the feature, you have to already get past the encryption. It's not a "backdoor" in any sense. Someone who doesn't already know the passphrase can't use it to get access to the drive. Plus, this feature is turned off by default so the user has to actively enable it. You enter the passphrase, reboot the computer and on THAT boot, it doesn't ask you for a passphrase. Next reboot it does.

This actually DOES sound like a very good feature and I would hope other products have it, too. Wish the editors would RTFA, too...

Re:Did anyone read the response?

[Lothsahn]

They do have access to the keys. That's the point.

They need to do unattended automated reboots of thousands of computers. These are enterprise customers.

They have the encryption key, and they want to apply security updates and reboot the computers. When the employees come to work in the morning, they expect the computers to be on and operational, as they left it.

If you don't use the feature, then it poses no risk. If you need to apply unattended updates to computers on a large scale, going to each computer and typing in the passphrase is not practical.

This is a non-issue, and a FUD article. You need to have UNLOCKED access to the encrypted volume to enable this feature.

Normal users using PGPDisk and not using this feature are at no greater risk for it existing.

Many products allow disabling preboot auth

[bongk]

There is an inherent flaw with many of the commercial laptop full-disk encryption solutions out there. I have the most experience with Utimaco's Safeguard Easy, but I know many of the other big players have the same fault -

The software has a feature called "Pre-boot Authentication", by which the encryption software is loaded after the bios, but before the (generally Windows) operating system. The user's password is used to generate the decryption key, so theorhetically not even the NSA could decrypt the laptop without the user's password.

Here's the flaw - the software has a checkbox to disable Pre-boot authentication. What this does is generate a default user with a random password, and then store this random password obfuscated but in clear-text in the same disk area decryption software. When you talk to the sales-people, they sell this as a feature, in fact about half of Utimaco's customers (so I'm told) run it in this mode because the encryption becomes transparent and it is much less intrusive on the user. (Basically the disk is automatically decrypted each time the laptop is booted, but you have to have a valid Windows login to get in.) Buried in the help documentation are warnings "For security reasons, you should Never disable pre-boot authentication". So the engineers and the company know the weakness of disabling pre-boot authentication, but they don't tell their customers when they sell the software.

Today it seems to break into these laptops with pre-boot authentication disabled you would need somewhat sophisticated tools and techniques, basically the same tools and techniques people commonly use to "crack" commercial software today. But I'm guessing that it won't be very long before someone takes the time to build this crack and releases it, rendering the laptop encryption useless to anyone who can Google for "Utimaco Crack", etc. Basically all the crack would need to do is grab the default user's password off the disk and use or duplicate the decryption algorithms that are also in clear-text on the disk.

I've talked to a number of IT security folks, and basically it seems like most people trust the sales folks and don't understand that its basically impossible to have strong encryption without having the decryption key stored off the disk (like on a smart card, or in the brain of the user.)

Re:Why is he modded down?

[Racemaniac]

well, read the other replies. apparantly it is a feature you have to enable yourself, which is useful in some cases, and is no security danger (unless you do stupid things with it). the entire story seems to be a non-issue... it's no real backdoor, just one you can enable for certain uses.

Re:Did anyone read the response?

[chill]

No, there isn't. There are stories that only make it into category pages, like Games or Apple, but don't make it to the front page that everyone sees.

TrueCrypt and GPG

[Futurepower(R)]

As others have said, some parts of the U.S. government has become completely lawless. The government is requiring access and requiring that access be kept secret. The Bush administration has become a dictatorship. I think U.S. citizens should demand impeachment and that Cheney and the Decider be tried for treason. Why should the really big criminals be allowed to break the law?

My experience of whoever it is who sells PGP is that there are other issues about they way they do business, too.

That's why open source encryption is so important. TrueCrypt [truecrypt.org] supports Windows and Linux. Supports encrypted devices and encrypted folders, including hidden folders.

To encrypt a file, use the free open source Gnu Privacy Guard [gnupg.org].

They can't do whole hard disk encryption, but they are at least honest.

Re:Why is he modded down?

[PylonHead]

Because he failed to read the article correctly.

There isn't a backdoor. If you encrypt your hard drive, then lose it, nobody can read it.

If on the other hand, if you've encrypted your boot disk, and you want to remotely reboot your machine, you're going to need someway to feed the password to it before it can bring up the OS (and the networking layer).

This feature allows you to store a password for 1 time use. Then you reboot the machine, and when it comes up, it reads the password and erases it.

It's a useful feature. Doesn't effect you if you don't use it. Even if you do use it, you'd have to set the password then forget to reboot for it to be a problem.

Basically this whole story is a non-issue. The moderation on the grandparent is a reflection of his failure to reason through this.

Re:closed source encryption software??!!

[Anonymous Coward]

uhh, if you new anything about PGP you would know that all the source is published. If you have a remote office without local IT staff this feature makes sense. Every month you have to patch your windows servers, most of these patches require a reboot and if this feature didn't exist you would have to send someone out to type in a passphrase making remote administration impossible. Anyways the use case that the original article envisions is ludicrous. If you have rooted the box with a trojan you have access to the data already, there is no need to steal the physical machine.

Re:Not turned off by default

[illegalcortex]

Either you still don't understand the feature, or you are willfully misinterpreting it. Once again, you must know the passphrase in order to unlock the data on the disk. If you know the passphrase, you already have access to the data on the disk, with or without this feature. Hence it is NOT a backdoor. A backdoor would mean you didn't need to know the passphrase. Knowing the passphrase is the FRONT door.

Sheesh.

Re:Many products allow disabling preboot auth

[foo fighter]

We use Utimaco SafeGuard Easy and we also bypass pre-boot authentication (PBA).

The problem is a company may have thousands of laptops in the wild and Active Directory passwords that expire every 90 days. Because the PBA credentials aren't integrated with AD that means you have a nightmare password management situation. Utimaco does provide a server to try to alleviate this problem, but it's still a major management pain.

It's true that by default the PBA bypass key gets stored obfuscated but in plain text on the hard drive if you bypass PBA. But if you have a modern computer with a trusted platform module (TPM) you can configure SafeGuard Easy to store the key there. You can also bind the hard drive to that particular TPM chip so that it is unaccessible if attached to another computer.
http://americas.utimaco.com/safeguard_easy/manual_v430/1-245.html [utimaco.com]

Re:closed source encryption software??!!

[OfficeSupplySamurai]

Come on, why would you even consider using such a thing?

Because the source is available [pgp.com] without cost, you just fill out a form, and then you can download it. It's not free software, but the source is not a secret either.

Re:And People Wonder Why Open Source!

[Anonymous Coward]

You're right about it not mattering anymore, but that is because equivalent encryption products are available elsewhere anyway. I don't think that they have quantum computers that can break current encryption and even if they did you'd probably have to be a high priority for them to use them to break your encryption.

Re:"Unnamed Customers"

[StrongAxe]

How much do you want to bet that "unnamed customers" are synonymous with "various federal and state police agencies, DOD, and NSA"?

From TFA, those "unnamed customers" are companies that have the need to remotely reboot their machines. This feature is NOT a backdoor - it merely allows someone WHO ALREADY HAS WRITE ACCESS TO THE ENCRYPED DRIVE (i.e. someone who has already given the passphrase) to grant a one-time certificate that permits a reboot without asking for the passphrase again. The major risk here is that someone will rob your store during the 60 seconds it takes to reboot over the phone, a possible, but highly unlikely scenario.

This is how it works

[illegalcortex]

Okay, so let me explain why I'm telling you the software doesn't work like this. Here's the key thing to remember: the pre-boot lockout is not the thing protecting data on the disk.

Here's a scenario:
1) Install PGP and encrypt the drive.
2) Reboot
3) Turn on the bypass for the next reboot
4) Shutdown
5) Remove the drive and stick it (or copy of the drive) in another computer as a secondary drive
6) Try to access the drive

From your posts, it appears you think you'll see all the files. The simple fact is that you won't. It will appear as an unrecognized volume. That's because the files are still encrypted. The operating system will not be able to access the files. You're screwed.

The whole bootloader is just another step of lockout. First there's bootloader, then there's the windows login. Again, the bootloader is not the thing that "turns off" encryption on the drive after you get past it.

I was already assuming this was how it works because to do it otherwise would be quite foolish. I thought back to the parallels of how Windows works when you turn on encryption for certain files. The delay in most post was because I wanted to check this out with the real product to make sure my assumptions weren't bad. And guess what? I was right. I tried this out in the real world with the real product and the volume was still encrypted even though the bootloader password was bypassed.