29 August 2000. Names of senders of private messages omitted, others publicly posted to UK Crypto.
Additional contributions invited, open or anonymous. Send to: jya@pipeline.com. See PGP 2.6.2 and 6.5.8 keys at Cryptome home page.
Date: Tue, 29 Aug 2000 11:10:25 -0400 To: ukcrypto@maillist.ox.ac.uk From: John Young <jya@pipeline.com> Subject: Less Than Lethal PGP Due to the recent discovery of a fault in PGP we would appreciate advice on what would be the best way to communicate with a party whose life may be at risk by insecure encryption. I am not the party at risk, that party is located in a country known for murderous crackdowns. This is a real situation that was underway when the PGP ADK fault was revealed. And there is now an urgent need to assure communication security. Steps have been taken to get rid of earlier communcations to the best extent possible, though those will remain a continuing threat. New keys have been generated with 6.5.8 and 2.6.2 as interim measures, and they will not be put on the servers but kept only for the two parties in communication. It has been suggested to: Generate new key pairs for each communciation. Triple encrypt, possibly with separate keys for each iteration. Abandon PGP entirely. Break off communication until a secure method is assured. Thanks for input.
From: SS To: jya@pipeline.com Subject: Enquiry.......... Date: Tue, 29 Aug 2000 16:28:03 +0100 How about agreeing a passphrase (in person, using the phone, using references to documentation only the two parties have etc) and then using ScramDisk to encrypt messages and data. Personally I still trust 6.5.8 with the appropriate care taken with keys (e.g. educate users to check ADK *everytime* they encrypt). How about using GPG - this is at least as strong as PGP cryptographically and also doesn't offer ADK functionality. My last resort would be to use v2.x (and put up with the similar security problems, e.g. crap hash, deadbeef etc). Your other ideas: > It has been suggested to: > > Generate new key pairs for each communciation. Doesn't prevent the ADK attack if the adversary has access to all communications because of the meet in the middle attack. > Triple encrypt, possibly with separate keys for each > iteration. Would only be good if using separate keys, but how do they know they can trust these individual keys? > Abandon PGP entirely. Unnecessary IMO. Just educate the users to check for ADK's. > Break off communication until a secure method > is assured. Again, unnecessary - the only way this attack can succeed is if PGP keys have been infected with an ADK. This is easy to check.
Date: Tue, 29 Aug 2000 16:57:09 +0100 To: jya@pipeline.com From: FS Subject: Re: Less Than Lethal PGP At 2000-08-29 11:10 -0400, you wrote: >Due to the recent discovery of a fault in PGP we would >appreciate advice on what would be the best way to >communicate with a party whose life may be at risk >by insecure encryption. I think that you would receive better advice if you made the threat model clearer. Is this party going to be in trouble only if Bad Guy reads the plaintext, or if Bad Guy sees who else the party in question is communicating with, or even just if Bad Guy sees that the party uses encryption and therefore has something to hide? You will of course know that even a perfect PGP won't help beyond the first case, yet it would appear to me that in the situation you describe... >I am not the party at risk, that party is located in >a country known for murderous crackdowns. ...the second and third cases are just as likely. In those cases you (they) need anonymous comms and steganography, not just cryptography. >Steps have been taken to get rid of earlier communcations >to the best extent possible, though those will remain a >continuing threat. Does this mean "if Bad Guy reads the plaintext of any one of the earlier messages then the party is in trouble, otherwise not"? >New keys have been generated with 6.5.8 and 2.6.2 as >interim measures, and they will not be put on the >servers but kept only for the two parties in communication. I would risk an opinion that the "Senderek bug" is not a vulnerability in this case, unless Bad Guy can somehow tamper with the computers of sender and recipient -- but in that case he could also read off the plaintext directly. >It has been suggested to: > >Generate new key pairs for each communciation. Seems dangerous to me: with the resulting key management mess, there would be more opportunities for a knowledgeable Bad Guy to smuggle in a forged key and attack with Man-in-the-middle or indeed the Senderek bug. >Triple encrypt, possibly with separate keys for each >iteration. Beware key management problems, as above. >Abandon PGP entirely. Fine, but in favour of what? GPG might be a good choice perhaps... >Break off communication until a secure method >is assured. Safest method to avoid confidentiality leaks of course -- but then if Bad Guy kidnaps the party anyway and throws him in a torture dungeon for months, nobody will know until a lot later. Another suggestion might be to check the integrity of one's keyring and encryption program before use every time with a hash-based utility like tripwire. Or perhaps even restarting from first principles and writing a known-good, trojan-free runnable copy of both the program and the keys to CD and always use that. What I am really concerned about is that, never mind all the theoretical arguments, just HAVING pgp or equivalent on the disc may be an excuse for being thrown in jail and tortured. Wouldn't surprise me. Steganography required, but the same would hold for the stego tools. Perhaps the most important element of the security policy would have to be an emergency plan that allows you to destroy all evidence in 30 secs as soon as you hear they're breaking through the front door. (Not that the absence of evidence would do much to stop them from torturing you if that's what they like to do, mind you, they'd just have fewer excuses...) Best wishes to the threatened party.
JY to FS: Thanks for the very constructive comments. It is a situation where information is being sent for safekeeping and possible future revelation. So it is the information that is lethal, not to whom it is being sent, at least as far as I know. However, it is highly likely that the use of encryption could be a hazard itself, so steganography is a good suggestion, although the sending party may not be adept at that. Yes, if the previous messages were read they could jeopardize the person but only by implication for the lethal information has not been transferred, just the intention to send unspecified information. Yes, it is possible that the equipment could be raided, and just about all the other bad stuff you mentioned. Nasty country, so I'm told. So all your advice will be heeded. Glad it's not me at the other end, and glad I may be of help.
Date: Tue, 29 Aug 2000 18:07:09 +0100 To: John Young <jya@pipeline.com> From: FS Subject: Re: Less Than Lethal PGP At 2000-08-29 12:07 -0400, you wrote: >It is a situation where information is being sent for >safekeeping and possible future revelation. So it is >the information that is lethal, not to whom it is being >sent, at least as far as I know. However, it is highly >likely that the use of encryption could be a hazard >itself, so steganography is a good suggestion, although >the sending party may not be adept at that. Beware bad steganography. There are plenty of tools around that hide stuff in other stuff, but a competent attacker will be able to spot that stego comms are taking place because the statistics of these LSBs will be different (= "more random") from what one might expect. Andreas Westfeld did some work on this a year ago and presented it here at Cambridge. A write-up of his stuff appeared at the 3rd Information Hiding workshop last year, and here is the bibliographic reference: Andreas Westfeld, Andreas Pfitzmann, "Attacks on Steganographic Systems", in Andreas Pfitzmann, ed.: _Proceedings of Information Hiding '99, Third International Workshop_, Dresden, Germany, Sept-Oct 1999, Lecture Notes in Computer Science 1768, Springer-Verlag, pp 61-76. He has explicit and visual results about common stego tools that he could break. From the rest of your description of the situation, my advice would be to set up a system where you don't keep copies of any of these messages or of any encrypted material you might have produced (which means, if you use PGP or similar stuff: never encrypt to self, don't copy to outbox, wipe plaintext after sending etc etc). This would have to be part of the day-to-day operation of the system. Somehow this simplifies the problem: if you can treat your friend in safeland to be your secure hard disc, then you can avoid storing the compromising stuff at home (Very Good Thing tm), and you're only in danger when you communicate. Now, if only you could find a way to do that unobtrusively... One still has to justify the presence of the crypto tools, so the emergency plan as suggested previously (get rid of it all when you hear strange sounds) still makes sense. Note that it's pretty damn hard to get rid of all traces of specific data from a hard disc. Since, in the scenario above, the system doesn't hold any precious data (it's all sent to safeland as soon as it's obtained), then it might be worthwhile using the 30 seconds to use a sledgehammer (brick, whatever) on the drive, and on the rest of the computer too in a way that looks like an accident (oh, that's an old wreck I keep around for parts, the kiddies broke it a while ago). For the cover story to be plausible one may need to have a clean computer too (e.g. if they can prove that you used the internet until this morning --surely not from that wreck, mate). What a mess. It's also costly to do this repeatedly, if they bust your door once a month looking for stuff (or just to harass you). BTW, I think there's a famous Peter Guttmann article (Usenix maybe? Oh yes, here it is: http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html) on getting rid of data from hard discs. Depending on how resourceful the adversary is, deforming the platters with the brick may not be enough. But it looks to me like you can't do much better in 30 secs...
Date: Tue, 29 Aug 2000 17:09:10 +0100 From: Philip Rowlands <phr@doc.ic.ac.uk> To: ukcrypto@maillist.ox.ac.uk Subject: Re: Less Than Lethal PGP John Young wrote: > > Due to the recent discovery of a fault in PGP we would > appreciate advice on what would be the best way to > communicate with a party whose life may be at risk > by insecure encryption. The first thing I'd do would be to reassure yourself that you've not been encrypting with tampered keys; the CERT advisory explains how to do this with GPG (Gnu Privacy Guard). > This is a real situation that was underway when the > PGP ADK fault was revealed. And there is now an urgent > need to assure communication security. > > Steps have been taken to get rid of earlier communcations > to the best extent possible, though those will remain a > continuing threat. > > New keys have been generated with 6.5.8 and 2.6.2 as > interim measures, and they will not be put on the > servers but kept only for the two parties in communication. > > It has been suggested to: > > Generate new key pairs for each communciation. > > Triple encrypt, possibly with separate keys for each > iteration. For the above two suggestions, do you trust yourself to get these right against a knowledgable "snooper"? Are you really giving yourself greater security, or just a warm cosy feeling? > Abandon PGP entirely. Unless you audit the code yourself, or have someone who you trust do it for you, what are the risks of another important bug being uncovered? If you can generate and manage the pads properly, one time pads might be a safer, more provably secure option. > Break off communication until a secure method > is assured. This seems safest; but what are your criteria for assuring a method of secure communication? Sorry if this seems to be asking rather than answering questions... Phil
To: ukcrypto@maillist.ox.ac.uk cc: Ross.Anderson@cl.cam.ac.uk Subject: Re: Less Than Lethal PGP Date: Tue, 29 Aug 2000 17:27:54 +0100 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> > I am not the party at risk, that party is located in > a country known for murderous crackdowns. In this case the use of any encryption at all may put them in harm's way. There are many less conspicuous communications security measures that you can take. Internet cafes; throwaway email accounts, especially at webmail servers with an SSL option (apparently this defeats even Carnivore); handwritten faxes; MP3stego; the list is fairly long. What you'd choose depends on the precise nature of the threat, the circumstances of the correspondent, the level of techie skills, and so on. Ross
[Approval to name given.] From: "Michel Bouissou" <michel@bouissou.net> To: <jya@pipeline.com> Subject: Re: Less Than Lethal PGP Date: Tue, 29 Aug 2000 19:03:57 +0200 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [JY message to UK Crypto omitted] Although the security breach recently found in PGP has to be taken VERY SERIOUSLY, I think you shouldn't jump too quickly to the conclusion that previous communications between the 2 parties could have been intercepted and decrypted. The precise bug that has been discovered allows an easy check of if this exploit was actually performed on the concerned keys or messages, provided you kept the concerned keys and messages for careful examination. What is mostly worrying in this bug is that it demonstrates that a highly potentially dangerous new feature such as the ADK has been designed and implemented into PGP not taking appropriate careful review, testing and examination measures. And such a bug stayed there for years. This may logically lead to thinking that other serious security-threatening bugs could reside in PGP that haven't been discovered yet. Thus undermining confidence one could put into PGP. But, I must stress the fact that, to the best of my knowledge, PGP ENCRYPTION HAS NOT BEEN BROKEN. Which means that: - - If a message was ever encrypted to an ADK-doctored key, it was of course readable for an attacker, but: - - If this didn't happen, all messages ever PGP encrypted between the parties remain as safe as they used to be (as long as you have not completely lost your trust in the PGP system). Checking wether or not both parties could have been victim of such an attack is rather EASY. It needs the following to be done: - - Check the keys !!! - - USING A VULNERABLE PGP VERSION (not 6.5.8!) and the keyring files that were in use with it, display the ADK column in PGPKeys and check if any of the concerned keys on both parties systems shows a suspect ADK on it. - - IF NOT, you're not at risk from this bug. - - IF YES, you're at risk ONLY if you ALSO have in your public keyring the public key which is displayed on the "ADK" tab of the forged public key as being the ADK key: Because, if this key is NOT in the keyring, no encryption could ever had been performed to it. And the sender would probably have received a suspicious message stating that the "ADK was missing" at message encryption time. These simple verifications could help much in diagnosing if your communications could have been put at risk by the ADK bug. - - Now, if you have kept the encrypted messages exchanged between the parties, try decrypting them again, after having turned OFF the "Cache decryption passhrases" option in the PGP preferences dialog. This to make sure that you will see the decryption dialog for each message. - - For each message, carefully examine the list of possible decryption keys. If you see only the recipient key displayed -- and possibly the sender one as well, the message was not encrypted to any other (ADK) key. - - If you see a supplementary recipient key that shouldn't be there... Well, you've been trapped. Having made sure about this, and keeping making sure that no key in any of the parties keyrings displays unwanted ADKs, keeping making sure at message encryption and decryption time that the message will not be / was not encrypted to any other key than the intended parties ones should be enough to stay immune from this bug, even with a "vulnerable" PGP version. The rest is a matter of trust: Deciding whether or not you keep trusting PGP encryption after such a bug has been discovered in the software. If you keep trusting PGP, just upgrade to 6.5.8. and go on. If you don't trust PGP anymore, you don't have *any* reason to trust 6.5.8 more than you would have trusted bugged versions. Then your only choices are: - - To revert to a 2.6.3 version of PGP that used RSA and has never been suspected of weakness, for years. - - To shift to some other PGP-like software, which currently doesn't give much choice, GnuPG under Linux (or similar operating system) being the only alternative. You wrote: >Steps have been taken to get rid of earlier communcations >to the best extent possible, though those will remain a >continuing threat. This was maybe done too fast, as only examination of past messages could have revealed if they had been encrypted to some unwanted keys. >It has been suggested to: > >Generate new key pairs for each communciation. This doesn't make sense for me. Exchanging and validating these keys each time would be a hassle, create new risks of seing forged keys introduced if the parties do not perform very careful checks with every new keypair. And it wouldn't provide any better security. >Triple encrypt, possibly with separate keys for each >iteration. Unnecessarily complicated. Either PGP is broken, and 10 encryptions will not help, or PGP is not broken, and one encryption is far enough. >Abandon PGP entirely. This only depends on your opinion and the trust you now have in PGP. Best regards. Michel Bouissou <michel@bouissou.net> PGP DH/DSS ID 0x5C2BEE8F -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> Comment: Corrigez le bug PGP ADK. Installez PGP 6.5.8 ou superieur. iQA/AwUBOave6Y7YarFcK+6PEQKTMQCfagl35Cmv9QHBLFX8oYFqtdeKC1cAn1Ie Tx9AFMpUBVLqmbWzrj0/e41t =61Kw -----END PGP SIGNATURE-----
Date: Tue, 29 Aug 2000 18:55:15 +0100 To: ukcrypto@maillist.ox.ac.uk From: Dave Bird <dave@xemu.demon.co.uk> Subject: Re: Less Than Lethal PGP -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [JY message to UK Crypto omitted] John, my evaluation: the ADK fault can be dealt with by purging all keys from your key-ring that have an ADK. To actually mount an attack using the fault would be extremely difficult. (1) You would have to have the interlopers key on your ring, (2) what happens is that PGP tells the application the application calling it there is an ADK. It would be up to the application to actually carry out the additional work. I don't think it is a real threat in particular cases. But it was incredibly stupid of someone to "pollute" the general security and undermine trust in that way. Speculation: if the CIA paid for it, that's exactly what they intended i.e. to mess with people's heads and undermine confidence. >It has been suggested to: > >Generate new key pairs for each communciation. > >Triple encrypt, possibly with separate keys for each >iteration. > >Abandon PGP entirely. > >Break off communication until a secure method >is assured. I do not think you need to break off communication yet; though this can be a wise last resort if you think security is completely trashed. There is not anything much better than PGP. There are only so many reliable and well-tested algorithms, anything else will be built on the same basic ciphers. Where encryption is life-and-death you may wish NOT to use the latest fancy commercial PGP but go for an older and more conservative public domain version (these versions did not introduce ADK at all). Multiple layers of encryption are a possibility. If you use commercial PGP and are lazy then you have a twelve month main key with new subkeys start every month and last two months. Or a 26 week permanent key with 26 weekly subkeys each lasting a fortnight. - -- ^-^-^-@@-^-;-^ http://www.xemu.demon.co.uk/ (..)__u news:alt.smoking.mooses -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBOav5A38v/Y5zkfRPEQJPgACfbcl6J5+H404ajtCSrN62GAvhA0IAnAsL t7JNv4dNJL7kMAgbT6juhiU+ =S27g -----END PGP SIGNATURE-----
From: "Dave Howe" <DHowe@Hawkswing.demon.co.uk> To: <ukcrypto@maillist.ox.ac.uk> Subject: Re: Less Than Lethal PGP Date: Tue, 29 Aug 2000 21:59:56 +0100 ----- Original Message ----- From: Philip Rowlands <phr@doc.ic.ac.uk> To: <ukcrypto@maillist.ox.ac.uk> Sent: Tuesday, August 29, 2000 5:09 PM Subject: Re: Less Than Lethal PGP > John Young wrote: > > > > Due to the recent discovery of a fault in PGP we would > > appreciate advice on what would be the best way to > > communicate with a party whose life may be at risk > > by insecure encryption. > > The first thing I'd do would be to reassure yourself that you've not > been encrypting with tampered keys; the CERT advisory explains how to > do this with GPG (Gnu Privacy Guard). Better yet, assure yourself you haven't been encrypting with *ANY* ADK key - the keys in each of your keyrings should be checked. in this situation, there should be no reason for you to have an ADK enabled key on your keyring, and any such key will be evidence of tampering. Once you are happy that this is the case, then you should be ok - any future communtications between you should be with the "known clean" keys on your keyring, so the existance or not of contaminated keys on the keyservers becomes pretty unimportant (but obviously worth checking, to see if someone *has* made the attempt.
Date: Tue, 29 Aug 2000 19:26:20 +0100 (BST) From: Charles Lindsey <chl@clw.cs.man.ac.uk> Subject: Re: Less Than Lethal PGP To: ukcrypto@maillist.ox.ac.uk [JY message to UK Crypto omitted] I think you are overreacting. There should be no need to change keys or anything like that. All you need to do is to inspect the public keys you have got to see if they have ADKs in the unsigned part (I believe the technique for the check is on the CERT site). If they are clean (as they probably will be), then you are as secure as you ever were (but you should maybe heed Ross's warnings on how secure you thought you were). If they have been tampered with (unlikely), then it should be possible to clean them and continue using them, but you should then worry about who may have read anything sent with them earlier on. The main precaution people need to take is to check all newly-obtained public-keys for cleanliness, and make sure they are kept away from anyone who might try to tinker with them. BUT AFAIK, noone has yet found a tampered-with key in the wild. And finally, the people receiving messages (those who hold the private keys) should upgrade to the fixed-versions of PGP, if that is possible. Then they are safe anyway. Charles H. Lindsey ---------At Home, doing my own thing------------------------ Email: chl@clw.cs.man.ac.uk Web: http://www.cs.man.ac.uk/~chl Voice/Fax: +44 161 437 4506 Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5