Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security Encryption

Undocumented Bypass in PGP Whole Disk Encryption 316

A non-mouse Coward writes "PGP Corporation's widely adopted Whole Disk Encryption product apparently has an encryption bypass feature that allows an encrypted drive to be accessed without the boot-up passphrase challenge dialog, leaving data in a vulnerable state if the drive is stolen when the bypass feature is enabled. The feature is also apparently not in the documentation that ships with the PGP product, nor the publicly available documentation on their website, but only mentioned briefly in the customer knowledge base. Jon Callas, CTO and CSO of PGP Corp., responded that this feature was required by unnamed customers and that competing products have similar functionality."
This discussion has been archived. No new comments can be posted.

Undocumented Bypass in PGP Whole Disk Encryption

Comments Filter:
  • by underwhelm ( 53409 ) <underwhelm@gmai[ ]om ['l.c' in gap]> on Thursday October 04, 2007 @12:09PM (#20854255) Homepage Journal
    Maybe they were unnamed because there is No Such Agency?
    • by SerpentMage ( 13390 ) <ChristianHGross&yahoo,ca> on Thursday October 04, 2007 @12:12PM (#20854317)
      When it comes to encryption it is exactly for this reason why I use the "clunky", "hard to configure", "no GUI" Open Source!

      I know what I have, and what I get, and what others cannot get... Not that I have anything to hide. Just that I like my privacy.
      • Re: (Score:3, Interesting)

        For now anyway.

        If people complete various "hard" problems on quantum computers then the non-people at the NSA can probably afford to throw two billion (or whatever) at it to crack ALL MODERN ENCRYPTION that doesn't use quantum devices for keys.

      • PGP is open source, though not Free Software (you can read the source but not modify, redistribute...). What's your FOSS software's solution for remote rebooting?
      • Re: (Score:3, Interesting)

        by Cheesey ( 70139 )
        When it comes to encryption it is exactly for this reason why I use the "clunky", "hard to configure", "no GUI" Open Source!

        Ah, but that's not necessarily a defence against the NSA! Their backdoors might not be hidden in closed source binaries, or in obfuscated source code, or in your CPU hardware, or even injected covertly by your copy of GCC when it recognises encryption code. They might be mathematical backdoors, hidden inside well-known ciphers that are generally thought to be secure. There's the old st
        • Re: (Score:3, Insightful)

          by VENONA ( 902751 )
          You sending people off to this reference would seem to indicate that you don't think anyone will read more than the first bits.
          http://en.wikipedia.org/w/index.php?title=Data_Encryption_Standard&oldid=161828931 [wikipedia.org], so the Wiki article is versioned.

          I guess it all depends upon whether you think factoring large numbers is a hard problem, whether special cases might exist, whether huge amounts of investment dollars matter, etc. From there you make your own call about whether or not to go all elliptical (another
      • Re: (Score:3, Insightful)

        by wikinerd ( 809585 )

        I like my privacy.

        Will be made illegal very soon :(

    • by moderatorrater ( 1095745 ) on Thursday October 04, 2007 @12:29PM (#20854609)
      A backdoor that's documented, although poorly, that you can disable and requires access to the unencrypted disk beforehand? If it were the NSA they wouldn't have allowed it to be documented and you couldn't disable. However, I can think of several large corporations that would require something like this and would have contracts large enough to justify changing the product for. Paranoia doesn't seem to be justified in this case.
  • Huh? (Score:3, Insightful)

    by CoffeeIsMyGod ( 1136809 ) on Thursday October 04, 2007 @12:09PM (#20854257)

    "encryption bypass" ?

    That basically turns the entire thing into a physiological magic trick.

  • Come on, why would you even consider using such a thing?
    • Re: (Score:2, Insightful)

      Whoever modded that post flamebait is completely ignorant of the standards in the security agency, that commonly used security tools be completely open so that people can point out security flaws. With regards to this article, it sounds like the bypass feature was able to be turned on or off, and if they had documented it and let people know, then they could have taken the necessary steps to use it or not, depending on whether you were their unnamed customer.

      In other words, the parent's point is perfect
      • Re: (Score:3, Insightful)

        by dgatwood ( 11270 )

        This is not uncommon, though the lack of documentation is.... Most such encryption products offer the ability to specify a master encryption key across an organization. The way that works is that your individual crypto key protects a copy of the drive-specific crypto key, which then protects the drive. The company you work for has a master crypto key which is also used to encrypt the drive-specific crypto key. (Usually the latter part is done with PK crypto so the employee can only encrypt contents with

        • "Is there a reason to worry that there might be a secret NSA/FBI/CIA/KGB/Russian Mafia/Rush Limbaugh/Gary Coleman back door? Depends on whether you trust the security vendor."

          Yeh, there might be an FSA/NBI/CGB/KIA/Ruffian Masha/Rush Coleman/Gary Limbaugh side door. It is not unpossible that an insecurity vendor might do this.
    • by A non-mouse Coward ( 1103675 ) on Thursday October 04, 2007 @01:31PM (#20855549)
      But ... PGP has a peer review, open-source process [pgp.com]. They're just a commercial product, too. [In other words, it violates the terms of service for you to compile their source code and use it without licensing it.]
    • Re: (Score:3, Informative)

      by Anonymous Coward
      uhh, if you new anything about PGP you would know that all the source is published. If you have a remote office without local IT staff this feature makes sense. Every month you have to patch your windows servers, most of these patches require a reboot and if this feature didn't exist you would have to send someone out to type in a passphrase making remote administration impossible. Anyways the use case that the original article envisions is ludicrous. If you have rooted the box with a trojan you have ac
    • by OfficeSupplySamurai ( 1130593 ) on Thursday October 04, 2007 @03:05PM (#20857137)

      Come on, why would you even consider using such a thing?
      Because the source is available [pgp.com] without cost, you just fill out a form, and then you can download it. It's not free software, but the source is not a secret either.
  • by Anonymous Coward on Thursday October 04, 2007 @12:11PM (#20854285)
    And if anyone else can enable it, then they already have access to your computer anyway.
  • by duplicate-nickname ( 87112 ) on Thursday October 04, 2007 @12:11PM (#20854289) Homepage
    Seriously, customers require this so IT staff can do remote support and reboot the machine remotely. It is only enabled for one reboot, and you must have cryptographic access to enable this feature. The only threat is if someone where to enable this, not reboot, and then have the machine stolen.

    Why does crap like this make it to the front page of Slashdot?
    • Re: (Score:3, Insightful)

      The only threat is if someone where to enable this, not reboot, and then have the machine stolen.

      I see what is possibly another. I may enable a hole of this form:

      If someone gets access to the disk or its contents before the reboot, they can clone the state of the encryption software - which will do one "unlocked" reboot. Later (up to a point where the encryption key is changed) they can shut down the machine, reapply this state, and bring it up without the password, gaining access to data that has been ad
  • by trybywrench ( 584843 ) on Thursday October 04, 2007 @12:12PM (#20854297)
    from the response:

    "We call it a passphrase bypass because that is what it is. It is a dangerous, but needed feature. If you run a business where you remotely manage computers, you need to remotely reboot them."


    "You cannot enable the feature without cryptographic access to the volume. If you do not have it enabled, you are not affected, either. I think this is an important thing to remember. Anyone who can enable the feature can mount the volume. It is a feature for manageability, and that's often as important as security, because without manageability, you can't use a security feature."

    makes pretty good sense to me
    • by DAldredge ( 2353 )
      Them be facts. Facts are not welcome on Slashdot anymore.
    • by MalleusEBHC ( 597600 ) on Thursday October 04, 2007 @12:18PM (#20854417)
      Also, from his wording, it sounded like it is not enabled by default. In other words, you can actively choose to sacrifice a bit of security in order to make it work properly in your environment. Sounds like a nice feature to me.
    • by mritunjai ( 518932 ) on Thursday October 04, 2007 @12:36PM (#20854737) Homepage
      You're missing the point!

      Yes, it is a nice(TM) feature and might be useful, but that is not the problem.

      The problem is that the feature is fricking undocumented. There is absolutely no way to know it is there and how to look out for it. It also means that you can't just know how many of these backdoors are in there. Is it only the first undocumented backdoor ? How many more of the convenience features are in there by customer demand ? How do they affect me ?

      When it comes to security software or hardware any and all undocumented features are BUGS! It's a principle, not a convenience!
      • Re: (Score:3, Insightful)

        by Rogerborg ( 306625 )
        Calm down, Sparky. It's documented to their customers, i.e. the people who actually need to know about it.
        • From TFA, it sounds like the documentation was added to their website recently, it wasn't there before. Also, the 'help' for the command-line tools doesn't display those options.
        • If I were to evaluate said product it's something I'd like to know, in advance and fully documented, not hidden somewhere. The whole purpose of documentation is, well, to document things not to leave them for someone surfing extra docs on their website.

          If they'd been open about it wouldn't even have made Slashdot, so it's a bit of an own goal - now they have to go and explain it all against a tide of misunderstanding. On stuff like this full disclosure is the better path to take IMHO.

      • Not widely broadcast to the masses!=undocumented
      • by Jay L ( 74152 )
        The problem is that the feature is fricking undocumented

        Just so I understand the fricking problem...

        If you have a PGP-encrypted drive, and you know the passphrase, you can unlock the drive until the next reboot. But PGP - and others as well, from TFA - have added a mode that unlocks it until the reboot AFTER that.

        Most people wouldn't want to use such a feature, because it leaves your drive exposed for a longer period of time. Even PGP calls it "dangerous, but needed" (for enterprise environments that do
    • by Qzukk ( 229616 )
      Anyone who can enable the feature can mount the volume.

      The million dollar question: If the volume is mounted, can anyone enable the feature, or do you need to re-enter the passphrase?
    • I follow you this far. But care to explain why it is appearantly undocumented? A potential security risk in a software, no matter how sensible to exist, MUST be documented so a user not wanting this security hole to exist can plug it. Especially when there are simple switches in place to plug it.
    • Couldn't a virus or other program running enable this "feature" without the user knowing? Basically you could set up the virus to enable the feature on shutdown, and then steal their laptop afterwards. Then when the thief boots it up, no password required. I would probably be difficult to pull off, but people using whole disk encryption would probably have some interesting data to steal.
      • by SL Baur ( 19540 )

        Couldn't a virus or other program running enable this "feature" without the user knowing? Basically you could set up the virus to enable the feature on shutdown, and then steal their laptop afterwards. Then when the thief boots it up, no password required.

        That's described in the third part of TFA, conveniently omitted by the editor.
        http://securology.blogspot.com/2007/10/response-to-jon-callas-pgp-encryption.html [blogspot.com]

        What also surprises me about the customers that would require PGP WDE to have such a feature is the way they would have to use the feature. Since this is command line driven, this is obviously designed for use in scripting. I have a hard time fathoming an enterprise organization that would, on one hand, require the use of full disk encryption of computers and then, on the other hand, distribute a script with a hardcoded passphrase in it, presumably using a software distribution tool like Microsoft's Systems Management Server (SMS), or similar. The risk of this feature of PGP WDE notwithstanding, we are talking about admins using shared/generic/static passphrases for all or many computers stored in plaintext scripts, set to execute in mass. If the complexity doesn't accidentally disclose the default administrative passphrase, then the fact that fallible humans keeping human readable scripts in N locations used every time Microsoft releases a patch certainly will. An average security conscious IT shop running Windows products (because PGP WDE is a product for Windows) will have at least 12 opportunities per year for devices to get stolen when they are in this vulnerable "bypass" state. Does the use of this PGP WDE (or any full disk encryption vendor as Jon claims competitors have similar functionality) feature increase the risk that laptops will be stolen on the eve of the second Tuesday of every month?

        Except that the "virus" is an update script from IT on the eve of "patch Tuesday" (this is basically a Microsoft Windows only product) and the machine gets stolen then.

        Note also that even though this password bypass feature must be enabled, there is no way to completely disable it.

  • A customer with enough volume to demand such a 'feature' (myself I prefer to call it a bug) surely can justify the addition of a compilation flag as oppose to incorporating into general release. I am incline to think it's more likely to be brown nosing the current US administration.
  • Heh (Score:3, Funny)

    by jayhawk88 ( 160512 ) <jayhawk88@gmail.com> on Thursday October 04, 2007 @12:15PM (#20854369)
    "We are not the only maNufacturer to have Such a feature -- All the major people do, because our customers require it of us.
    • Re: (Score:3, Funny)

      by ch0ad ( 1127549 )
      "We are not the onlY manufacturer tO have sUch a feature -- All the major people do, because our cusTomers requIre iT of us."
  • by bongk ( 251028 ) on Thursday October 04, 2007 @12:31PM (#20854665)
    There is an inherent flaw with many of the commercial laptop full-disk encryption solutions out there. I have the most experience with Utimaco's Safeguard Easy, but I know many of the other big players have the same fault -

    The software has a feature called "Pre-boot Authentication", by which the encryption software is loaded after the bios, but before the (generally Windows) operating system. The user's password is used to generate the decryption key, so theorhetically not even the NSA could decrypt the laptop without the user's password.

    Here's the flaw - the software has a checkbox to disable Pre-boot authentication. What this does is generate a default user with a random password, and then store this random password obfuscated but in clear-text in the same disk area decryption software. When you talk to the sales-people, they sell this as a feature, in fact about half of Utimaco's customers (so I'm told) run it in this mode because the encryption becomes transparent and it is much less intrusive on the user. (Basically the disk is automatically decrypted each time the laptop is booted, but you have to have a valid Windows login to get in.) Buried in the help documentation are warnings "For security reasons, you should Never disable pre-boot authentication". So the engineers and the company know the weakness of disabling pre-boot authentication, but they don't tell their customers when they sell the software.

    Today it seems to break into these laptops with pre-boot authentication disabled you would need somewhat sophisticated tools and techniques, basically the same tools and techniques people commonly use to "crack" commercial software today. But I'm guessing that it won't be very long before someone takes the time to build this crack and releases it, rendering the laptop encryption useless to anyone who can Google for "Utimaco Crack", etc. Basically all the crack would need to do is grab the default user's password off the disk and use or duplicate the decryption algorithms that are also in clear-text on the disk.

    I've talked to a number of IT security folks, and basically it seems like most people trust the sales folks and don't understand that its basically impossible to have strong encryption without having the decryption key stored off the disk (like on a smart card, or in the brain of the user.)
    • And we use a Post-it on the same door to remember the combination.

      This dangerous, because it gives a false sense of security. Its an easy way to make full disk encryption have zero security benefit. Its might a feature that this feature is so obscure enough that security neophytes won't shoot their foot off. I'd be happiest if the feature automatically deleted the decryption key during the reboot. Thats enough to let IT do an unattended reboot and simultaneously discourage people from misusing the feature.
    • by foo fighter ( 151863 ) on Thursday October 04, 2007 @02:33PM (#20856563) Homepage
      We use Utimaco SafeGuard Easy and we also bypass pre-boot authentication (PBA).

      The problem is a company may have thousands of laptops in the wild and Active Directory passwords that expire every 90 days. Because the PBA credentials aren't integrated with AD that means you have a nightmare password management situation. Utimaco does provide a server to try to alleviate this problem, but it's still a major management pain.

      It's true that by default the PBA bypass key gets stored obfuscated but in plain text on the hard drive if you bypass PBA. But if you have a modern computer with a trusted platform module (TPM) you can configure SafeGuard Easy to store the key there. You can also bind the hard drive to that particular TPM chip so that it is unaccessible if attached to another computer.
      http://americas.utimaco.com/safeguard_easy/manual_v430/1-245.html [utimaco.com]

  • PGP is a hilarious company, these days. My company was going to do some consulting work for them, and they announced that we could not work with them unless we complied with their security "policy." We thought it would be no problem--our security is some of the best in the industry.

    We read their "policy" and started laughing, however. It isn't a policy so much as a standard, which explicitly requires all computers run PGP Whole Disk Encryption. No other form of data protection is acceptable.

    I'm inclined to
  • If people wanted Really Good Privacy, they should have purchase encryption from a company called RGP, not Pretty Good Privacy.

  • by Aminion ( 896851 ) on Thursday October 04, 2007 @12:52PM (#20854931)
    So which full disk encryption software does Slashdot recommend? Preferably FOSS and available for *Nix and Windows.
  • So clearly the encryption system records the running password somewhere outside the encrypted volume if the auto-reboot is selected. One would assume that, upon reboot, the password gets overwritten.

    We are constantly told that data that's only overwritten once on a magnetic drive is recoverable. So, if one could figure out which section of the drive gets the password written to it (an easy enough exercise given that the boot code that mounts the encrypted volume is in a fixed location and largely static)
  • There is No Such Customer (NSC).
  • by someone1234 ( 830754 ) on Thursday October 04, 2007 @01:33PM (#20855593)
    Hmm, the FBI paid them for having this backdoor?

    1. if i have a real (paying) customer who needs this, i will supply them (and only them) with a customised version.
    2. or i fully document the feature.

"Truth never comes into the world but like a bastard, to the ignominy of him that brought her birth." -- Milton