Undocumented Bypass in PGP Whole Disk Encryption 316
A non-mouse Coward writes "PGP Corporation's widely adopted Whole Disk Encryption product apparently has an encryption bypass feature that allows an encrypted drive to be accessed without the boot-up passphrase challenge dialog, leaving data in a vulnerable state if the drive is stolen when the bypass feature is enabled. The feature is also apparently not in the documentation that ships with the PGP product, nor the publicly available documentation on their website, but only mentioned briefly in the customer knowledge base. Jon Callas, CTO and CSO of PGP Corp., responded that this feature was required by unnamed customers and that competing products have similar functionality."
Huh? (Score:3, Insightful)
"encryption bypass" ?
That basically turns the entire thing into a physiological magic trick.
closed source encryption software??!! (Score:2, Insightful)
The only people to enable would know about it (Score:3, Insightful)
to put out some of the flames (Score:5, Insightful)
"We call it a passphrase bypass because that is what it is. It is a dangerous, but needed feature. If you run a business where you remotely manage computers, you need to remotely reboot them."
and
"You cannot enable the feature without cryptographic access to the volume. If you do not have it enabled, you are not affected, either. I think this is an important thing to remember. Anyone who can enable the feature can mount the volume. It is a feature for manageability, and that's often as important as security, because without manageability, you can't use a security feature."
makes pretty good sense to me
And People Wonder Why Open Source! (Score:4, Insightful)
I know what I have, and what I get, and what others cannot get... Not that I have anything to hide. Just that I like my privacy.
What's the point? (Score:1, Insightful)
I don't like PGP in any case. I never have because all their stuff is proprietary. S/MIME, ASN.1, etc are all full blown public standards that do the things PGP does except using open interoperable widely adapted standards.
Re:closed source encryption software??!! (Score:2, Insightful)
In other words, the parent's point is perfectly valid.
Re:unnamed customers (Score:5, Insightful)
Re:Fine by me.. (Score:4, Insightful)
They also just lost credibility.
Oh, I don't know. From the start, all the promised was Pretty Good Privacy. Not like Fort Knox, more like a combination padlock on an open-backed locker.
I find myself wishing more and more that Phil Zimmerman hadn't sold to NAI.
Does GPG have a full-disk mode? I think I could trust something with open source and reliable software freedom.
Re:Fine by me.. (Score:4, Insightful)
Re:to put out some of the flames (Score:5, Insightful)
Yes, it is a nice(TM) feature and might be useful, but that is not the problem.
The problem is that the feature is fricking undocumented. There is absolutely no way to know it is there and how to look out for it. It also means that you can't just know how many of these backdoors are in there. Is it only the first undocumented backdoor ? How many more of the convenience features are in there by customer demand ? How do they affect me ?
When it comes to security software or hardware any and all undocumented features are BUGS! It's a principle, not a convenience!
Re:Did anyone read the response? (Score:1, Insightful)
Some want to be able to boot their encrypted disks without having to enter a startup password. Its that simple. Yes its a stupid idea but some may have perfectly reasonable reasons for wanting it.
1. There is no backdoor.
2. The feature must be explicitly enabled.
Anyone claiming that a trojan can bypass it by setting the encryption password is wrong for two reasons:
1. If a trojan has that level of access to your system how do you intend to stop it from sending all of your data over the network, fetching your decryption key from memory structures or decrypting your whole disk without your knowledge while you sleep? If #1 is ever raised as a concern the game is already over and you have lost/0wned!
2. You need to know the decryption password to enable the feature.
Re:TrueCrypt and GPG (Score:3, Insightful)
I keep hearing that the 2nd amendment would help in this situation but I haven't noticed any militias storming the local branch of the federal administration. I think the best way to protect Democracy is probably through self-motivated knowledge seeking and political activism on how things work instead of guns, but who can argue with a MP5.
Re:closed source encryption software??!! (Score:3, Insightful)
This is not uncommon, though the lack of documentation is.... Most such encryption products offer the ability to specify a master encryption key across an organization. The way that works is that your individual crypto key protects a copy of the drive-specific crypto key, which then protects the drive. The company you work for has a master crypto key which is also used to encrypt the drive-specific crypto key. (Usually the latter part is done with PK crypto so the employee can only encrypt contents with what he/she has, not decrypt it.) The purpose for such a "back door" is that if an employee leaves the company, you aren't screwed.
Is there a reason to worry that there might be a secret NSA/FBI/CIA/KGB/Russian Mafia/Rush Limbaugh/Gary Coleman back door? Depends on whether you trust the security vendor. That said, I don't trust security software unless I can see the source code. If you and others can't inspect the code, then for all you know, the security could be nothing more than a little startup app that asks for a password and checks it against a cleartext string in BIOS before performing ROT13 on any data read from the partition. Security software is one of the few places where closed source software simply can never be trusted, and if you do, you are not paranoid enough.
Random Example Bank or Retail would want this (Score:3, Insightful)
If you RTFA, you'll see that it's a feature that you can only turn on if you've already got access to the disk, and PGP did it so it only works once.
Re:Fine by me.. (Score:5, Insightful)
However, the feature isn't enabled by default. It requires cryptographic access *and* knowledge of its existence to turn it on. And if you already have cryptographic access, then the whole issue is academic.
You pompously declaring it "DISHONEST" in capital letters smacks of the typical random-geek's kneejerk first post on a messageboard thread. And FWIW, I don't know how much your oh-so-important business with them is worth anyway; I suspect that the other client probably *was* worth more. (Of course, it's quite plausible that the views of *many* smaller clients who disliked the feature would be a serious counterweight. However, if you're going to act like your *individual* view carries so much weight, expect scepticism).
Re:to put out some of the flames (Score:3, Insightful)
PGP Does Open Source for Peer Review (Score:4, Insightful)
unnamed customers??? (Score:3, Insightful)
1. if i have a real (paying) customer who needs this, i will supply them (and only them) with a customised version.
2. or i fully document the feature.
Jon *did* call it "dangerous" (Score:3, Insightful)
Re:Did anyone read the response? (Score:3, Insightful)
I see what is possibly another. I may enable a hole of this form:
If someone gets access to the disk or its contents before the reboot, they can clone the state of the encryption software - which will do one "unlocked" reboot. Later (up to a point where the encryption key is changed) they can shut down the machine, reapply this state, and bring it up without the password, gaining access to data that has been added or updated since the state was cloned.
I see ways to prevent this sort of attack. But they'd have to be built in with blocking such an attack in mind - which means the feature and defense against its corruption would have to be taken into account in the architecture of the rest of the product. (They'd also greatly increase the risk of corrupting the encryption software in a way that prevents even the authorized user from referencing the disk in case of, for instance, power problems on startup or an ungraceful shutdown.)
Re:Why is he modded down? (Score:1, Insightful)
Re:You missed the point. What else are they hiding (Score:3, Insightful)
Because a backdoor can just as easily be slipped into open source software, if not more easily since everyone's assuming "Oh it's open, someone else is looking for backdoors." On top of that, when things go south there's no one to point the finger at and no one to go to for support.
Look at all the security flaws that have popped up in Firefox over the past two years that could have led to a complete security breach on a user's machine. Most were probably just innocent mistakes, but what if they were intentional? How would we know? And who could we blame?
Putting a GPL license on something doesn't automatically make it pure and holy.
Re:And People Wonder Why Open Source! (Score:3, Insightful)
Will be made illegal very soon :(
Re:And People Wonder Why Open Source! (Score:3, Insightful)
http://en.wikipedia.org/w/index.php?title=Data_Encryption_Standard&oldid=161828931 [wikipedia.org], so the Wiki article is versioned.
I guess it all depends upon whether you think factoring large numbers is a hard problem, whether special cases might exist, whether huge amounts of investment dollars matter, etc. From there you make your own call about whether or not to go all elliptical (another bag of worms) or not, etc. In the end, you either trust the math, or you don't. Not counting valid points you brought up about whether you can trust your hardware, compiler, or binary blobs.
One point you didn't bring up is rubber-hose cryptanalysis, which has a proven track record dating back through several centuries. It might be a lot easier for an adversary to ignore your opinions on math, the openness of your compiler, etc. and just beat the living hell out of you. Or just toss you in a cell for contempt of court until you either give up a passphrase, or grow old enough to win a sympathy argument.
Nothing is certain. First you evaluate the *perceived* value of the secrets you're trying to protect. Until you've done that, you can't estimate the potential intensity of the attacks that might be brought to bear in order to obtain those secrets. And only then can you think in terms of effective countermeasures. Assuming there are any, which may not be the case where, for example, an individual is squaring off against the resources of a governmental organization.
Re:Not turned off by default (Score:2, Insightful)
I did not say that somebody who DOESN'T have a passphrase could turn the feature on. RTFA and realize that any USER (get it? Not "admin") can use this feature, enabling the bypass. Sure, today, (again, you near-sighted idiot) the only way to use this is through the command line, but this is a crypto operation, not a connection to your mom's website, meaning there is no record of who makes crypto operations. It might be a trojan (which yes, I get it, it's got your passphrase), but imagine this: a worm like the storm worm gets modified to (in addition to the myriad of things it does) capture users' passphrases, add the bypass, and modify the PGP Boot Guard to not remove the bypass
And of course, (again I'll get enjoyment for calling you an idiot) an admin who uses this feature but has an adversary pick up the device PRIOR to the reboot happening and the oh so magical PGP Boot Guard removing the bypass
This guy gets it [slashdot.org]. Why can't you?
Now go say hi to Jesse and the twins for me.
Re:Fine by me.. (Score:3, Insightful)
You forgot the part where you descend form the ceiling suspended by a wire harness and hang upside down while typing into the console.
With that degree of access, there are a million things you could do to gain access to sensitive data. (Eg, rummage throught the filing cabinet, paper is still king; install a physical keylogger dongle; etc, etc.) This would just be the icing on the cake; they're fucked already.