Security Flaw Discovered in GPG 151
WeLikeRoy writes "A serious problem in the use of GPG to verify digital signatures has been discovered, which also affects the use of gpg in email. It is possible for an attacker to take any signed message and inject extra arbitrary data without affecting the signed status of the message. Depending on how gpg is invoked, it may be possible to output just faked data as several variants of this attack have been discovered. All versions of gnupg prior to 1.4.2.2 are affected, and it is thus recommended to update GnuPG as soon as possible to version 1.4.2.2."
Oh no! (Score:4, Funny)
what is GPG?
Yeah, I will go RTFA. However, summaries that assume you are familiar with an acronym are rude, IMHO
Not a fundamental flaw. (Score:5, Interesting)
So this is a simple mistake made by GPG, in an effort to coexist well with email and the like.
In other words, GPG looks at an email message and sees headers and the like. Of course, the headers were not signed (just the message), so GPG skips them and when it encounters the signed message, it begins to verify the signature.
So, if you are an attacker, you insert something before or after the signed message, and when GPG goes to verify it, the signed message passes, but GPG nicely prints out the whole message for you, instead of just the signed part. Oops, not a big deal, encryption isn't broken, in fact this is just an application bug.
Enigmail is fine... (Score:2, Insightful)
Re:Enigmail is fine... (Score:2, Informative)
Re:Not a fundamental flaw. (Score:3, Interesting)
From: BOSS@CORPORATE.COM
To: MIDDLEMANAGER@CORPORATE.COM
Subject: Employee Burt Reynolds
That's a fine lad! Let's give him a raise!
-- Boss
GPG SIGNATURE VERIFIED: BOSS@CORPORATE.COM
Now, this message can be intercepted and a new part inserted before the actual message body,
Re:Not a fundamental flaw. (Score:3, Insightful)
ergo the injection you proposed would not be valid and hence would be rejected
by the signature verification process.
try and add something before or after the actual e-mail message and see how much sense
it would make to someone reading it...
Arash
Re:Not a fundamental flaw. (Score:2)
Huh. That's exactly what I did. Note that the message body is not altered. And that the mail headers (From, To, Subject) are separate from the message body. The inserted text is inserted just before the actual e-mail message body.
Re:Not a fundamental flaw. (Score:3, Insightful)
But if I understood correctly, GPG doesn't include the headers in the signature; so even without this bug, you could just change the subject to refer to Foo Bar.
Tricky business, security is :(.
Well , What is GPG? (Score:4, Funny)
GPG is: (Score:4, Informative)
GPG stands for Gnu Privacy Guard. It's the Free(tm) replacement for PGP (Pretty Good Privacy) which was originally developed by RSA. Between them, they are one of the standards for encryption and verification of sensitive data (including email).
As opposed to X509/SSL which seems to be designed for centralized trusted certificate issuers, GPG/PGP depend on a (decentralized) web of trust -- You decide which signatures you wish to trust, and then those signatures can be used to signify who they trust... If you have enough trust in the signature web for a public key you have for someone, then it is presumed that the key is trustable.
GPG seems to be supported by people who include some serious heavyweights in the encryption community.
IANASE (I am not a security expert), so any corrections to this explanation would be much appreciated)
Re:GPG is: (Score:3, Informative)
Given the lawsuits that RSA filed to stop PGP this statement could hardly be more wrong. Phil Zimmerman developed PGP as freeware, then released a commercial version of his code and reclaimed the name. GPG is a name chosen to describe the free version.
This crack is not particularly new, the first version of PGP had the problem. The only part of the message that is secure i
Re:GPG is: (Score:3, Informative)
This sentence is neither informative nor funny.
No, GnuPG [wikipedia.org] is not the same as PGP [wikipedia.org]. GnuPG was in fact developed to replace PGP, both because PGP is covered by a non-commercial use only license, and (probably) because it by default incorporates the patented IDEA algorithm. Yes, PGP Freeware and GPG are both free and interoperable, but they are not the same thing.
Re:GPG is: (Score:3, Informative)
The full story is a bit more complex. The original PGP used a lot of patented stuff only Phil Z. did not bother to get a license for any of it. This led Jim Bizdos to complain about the patent inf
Re:GPG is: (Score:5, Informative)
No, PGP wasn't developed by RSA; RSA had nothing at all to do with PGP's development. Use of the RSA asymmetric encryption algorithms has been in use since early versions, but PGP itself was developed by Phil Zimmerman, who got into a patent battle with RSA over his use of the algorithm without their permission (although patent co-holder MIT didn't have a problem with it, complicating the situation). A deal was eventually worked out, and the RSA algorithms have been in ever since.
Re:GPG is: (Score:2, Funny)
Re:GPG is: (Score:3, Informative)
Back then (early '90s), simple encryption SOFTWARE was considered a munition, similar to if he snuck an atom bomb out of the country. The software was "released" onto the evil internet (perhaps not even by Phil), and as I
Re:GPG is: (Score:4, Interesting)
This was also a primary catalyst for the argument of how strong exportable encryption should be, and which brought the encryption debate out into the public eye. Had he not done this, we might be a few years behind our current status, just having finished accepted the appropriateness of exporting heavy encryption.
Re:Oh no! (Score:5, Interesting)
Re:Oh no! (Score:3, Funny)
-Peter
Re:Oh no! (Score:3, Funny)
"If you do not know what GPG is, you're not a nerd - and you're on the wrong site."
I think about 98% of the science department at any college would tell you exactly what a fucking idiot you are for making such a broadly stupid statement. Are you seriously so deluded that you think the only type of nerd is a computer nerd? And that all computer nerds have heard
Whew! (Score:5, Funny)
Re:Whew! (Score:2)
Re:Whew! (Score:2)
None. But you don't have to use GPG, you could use Crypt::OpenPGP instead.
Re:Whew! (Score:5, Funny)
Re:Whew! (Score:2, Insightful)
If you had published your email, I'm sure you'd have 500 encrypted "Hello, world!" emails from other Slashdot readers.
The reason why (Score:2)
I always have wondered why the spammers aren't using the database of PGP/GPG keys to send spam too. Maybe they are, but obviously aren't willing to sign it for computational reasons, even with a phony key.
Re:Whew! (Score:2)
The poster was being funny but he does have a serious point. Adoption of GPG is most probably not very high. My guess as to why is the high degree of knowledge required to use GPG. When creating a key, the user is asked a lot of questions the answer, to which, he or she most probably doesn't know without a fairly good understanding of asynchronous encryption technology and PKI [pki-page.org]. Key management i
Re:Whew! (Score:2)
Re:Whew! (Score:2)
Funny, but curiously enough fake PGP/MIME attachments are used by spammers, because older versions of SpamAssassin foolishly increased the score of messages with a signature attachment. This, regrettably, led to the situation of some misguided spam-filtering companies blocking messages with signatures, further hindering adoption.
Bug Intentionally Placed? (Score:2, Funny)
For all the tinfoil hat people out there, I propose that the bug may have been placed intentionally, since GnuPG is, in fact, an opensource community project. So instead of taking hours to obtain a GPG key, the NSA could spend seconds and impersonate an otherwise [strike]paranoid[/strike] privacy-oriented person in typically confidential memos. Maybe a full accounting as to when the bug got there, how it got there, who put it there and the chances of it being purely human error are to be demanded? After
Re:Bug Intentionally Placed? (Score:5, Funny)
Re:Bug Intentionally Placed? (Score:5, Funny)
Re:Bug Intentionally Placed? (Score:2)
Re:Bug Intentionally Placed? (Score:5, Funny)
Re:Don't forget Win95! (Score:1)
Re:Don't forget Win95! (Score:5, Funny)
Re:Don't forget Win95! (Score:4, Funny)
Re:Bug Intentionally Placed? (Score:2, Interesting)
Ah ha. And how many times did you personally verify the source before you trusted it?
Re:Bug Intentionally Placed? (Score:1)
Re:Bug Intentionally Placed? (Score:2, Interesting)
Re:Bug Intentionally Placed? (Score:5, Informative)
I realize this is a joke, but just so everyone knows, a little bit of scrutiny would expose a faked message.
If you RTF Mailing List, you will see that the "attack" only allows someone to append or prepend data to the signed message, and then the augmented message is only displayed the way it is because of an application bug in GPG.
No fundamental algorithm is broken, no one has discovered a way to cause collisions. In fact, if you tried to independently verify the signature of the message against the augmented message, it would fail.
What happens is that GPG skips text that is not part of the signed message, such as email headers and the like, then verifies what is signed. Unfortunately, once it's verified, it will output the whole message, leading the user to believe that the whole message was signed.
Again if you checked the signature against the whole message it wouldn't verify, GPG is just being a bit too helpful.
Re:Bug Intentionally Placed? Well, msg headers? (Score:2)
Well, then a little GOOD social engineering could resolve this, right? Some prepend and append markups could help identify what was injected.
Example: (Pre-encrypted)
Begin Encrypted Body HERE:
We snatched the subject at building 232. Skyjack arrived at the field and extracted subject at 2200 hours, and headed 225 True north along evac corridor. Diverted to SSW
Re:Bug Intentionally Placed? Well, msg headers? (Score:2)
Begin prepended text HERE:
<!--
End prepended text HERE.
Begin Encrypted Body HERE:
We snatched the subject at building 232. Skyjack arrived at the field and extracted subject at 2200 hours, and headed 225 True north along evac corridor. Diverted to SSW 45 seconds later, avoiding
End Encrypted Body HERE.
Begin appended text HERE:
--> We're caught! Destroy the evidence... and kill Jack, that damned traitor!
End prepended text HERE.
Re:Bug Intentionally Placed? (Score:2)
wrong (Score:2)
As to where it came from, you can check the version control log files; it's all there.
Re:Bug Intentionally Placed? (Score:2)
Re:Bug Intentionally Placed? (Score:2)
If GPG had been a closed-source product, almost nobody would ever have known about the flaw. People would just have carried on using it [*], believing it safe, and the exploit would have stayed underground. It's precisely because it's Open Source that anybody discovered the problem at all. At least now, it can be fixed -- in fact, it already has been fixed.
[*] Well, actually, they wouldn't, because using closed-source crypto is up there in the top ten Bloody Stupid Ideas, along
hang on, i'll tell him (Score:1, Funny)
that GPG user lives downstairs i'll just tell him there is a problem
Are you his mother? (Score:2)
He had a mother!
software or data flaw? (Score:2)
Re:software or data flaw? (Score:3, Informative)
The problem is in display. It displays the unencoded preamble and postscript inline with the (properly) verified parts of the email. You then, essentially, have to guess which is which.
Re:software or data flaw? (Score:2)
Not quite. Depending on how GnuPG is called, the output might be either the real signed data alone, the appended data alone, or a mix.
Aha! (Score:5, Funny)
Re:Aha! (Score:4, Funny)
Shouldn't be a surprise... (Score:4, Insightful)
Re:Shouldn't be a surprise... (Score:2)
Double Bag That Burger (Score:5, Informative)
Of course, sent messages can't be recovered for reprotection with the new second method. And eventually the other original method will be compromised, so the attacker can use the appropriate methods for each. But at least you've improved your security. Probably more than the next guy. Next lesson: when the bear is chasing y'all, you don't have to be the fastest; just not the slowest.
Re:Double Bag That Burger (Score:5, Funny)
That's an awesome idea. I'm going to start doing that right now! :P
application/x-pkcs7-signature; name="smime.p7s"
Re:Double Bag That Burger (Score:5, Funny)
How in the F*** did THAT make it through the lameness filters?!
Re:Double Bag That Burger (Score:2)
Re:Double Bag That Burger (Score:1)
Re:Double Bag That Burger (Score:2)
Triple bag it (Score:2, Informative)
From http://www.x5.net/faqs/crypto/q85.html [x5.net]
Re:Triple bag it (Score:1)
However, the principle in that FAQ is sound within its scope. In combination with the consideration I mention, the right approach is to use as many redundant methods as possible given costs, network and processing bandwidth.
Again, the redundancy operates on exactly the same principle as th
Re:Double Bag That Burger (Score:2)
Double encrypting is valuable too. Encrypting the same message multiply in parallel with the same key/method may weaken the encryption, especially if the attacker knows it's the same original message, because they now have two different chances to guess - one will be easier to guess (first in their guessing sequence). Encrypting the message first with one method/key, then
shock! (Score:1)
Oddly enough (Score:2)
Ah well, maybe I can install it on my Linux machine?
Re:Oddly enough (Score:2)
Re:Oddly enough (Score:2)
Anyway I have some PGP keys that I cannot revoke and I never set an expire date on them. Since they were not created with OpenPG, I cannot revoke them with GNUPG but I can disable them. Can I upload a disabled key to public key servers and let people know I am not using those keys anymore, or does that only work for revoked keys?
Re:Oddly enough (Score:2)
Re:Oddly enough (Score:2)
I'll give GPGShell a try, thanks again.
DEFCON (Score:1)
Someone should get fired (Score:3, Funny)
Oh, it isn't corporate product, nevermind.
check.. (Score:5, Funny)
Re:check.. (Score:2)
A serious problem in the use of GPG to verify digital signatures has been discovered, which also affects the use of gpg in email. All versions of gnupg prior to 1.4.2.2 are affected, and it is thus recommended to update GnuPG as soon as possible to version 1.4.2.2.
Please disregard the remainder of this email.
-----BEGIN PGP SIGNED MESSAGE-----
Joe,
Are you coming to the pub tonight?
Ben.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (Darwin)
Comment: http://www.r [rbisland.cx]
Short explanation if you're too lazy to RTFA (Score:5, Informative)
If you read the message using the new GPG 1.4.2.2 it will correctly not accept the hacked message. So if you have any question about signed mail you received, you can check it again after upgrading GPG.
The bug only affects embedded signatures, such as in email messages using inline signatures or signed encrypted email. I think that excludes PGP/MIME signed unencrypted email, which is a common format for signed mail and would be a form of detached signature.
The bug does not affect "detached signatures", which are the kind that are used to verify software downloads, which means it could not have been used to hack yum, apt-get, etc.
All in all, not a big security flaw unless someone takes a signed email that you sent them, forges a GPG signed request to your domain registrar to transfer your million dollar domain name to them, and your registrar hasn't yet updated to GPG 1.4.2.2. Whoops -- if you upgrade GPG right now, it wouldn't help in that scenario.
Your version number may not change (Score:3, Informative)
Security Flaw Discovered in GPG? (Score:3, Interesting)
I'm guessing, but 95% of computing world doesn't use GPG. And isn't this a "Man In the Middle" attack? How many routers have been compromised that I need to worry about this?
Are my GPG encrypted messages to the kremlin, CIA, or FBI less secure? Are my "lovey-dovey, are you naked" messages to my wife compromised? Thats about all I use GPG for.
Enjoy.
Well... (Score:3, Informative)
Does it make the e-mails less safe? No. First, the flaw is for adding material, not reading it. Second, it's for signing, not encryption per-se. It DOES mean that you cannot trust e-mail for commercially sensitive transactions, but nobody should be trusting e-mail for that
Re:Well... (Score:5, Insightful)
I don't mean this to come across as flamebait, but that's one of the stupidest comments I've read on Slashdot today. You could just as well - and with the same justification - say that telephones shouldn't be used for conducting business (all business consists of commercially sensitive transactions, mind you), or that letters shouldn't be used, that the postal services can't be trusted, that pens and paper shouldn't be used for writing down contracts, and so on.
All these things, just like email and just like GPG, are tools. Tools, like everything, are fundamentally insecure, at least theoretically; there is no absolute security. But you can minimise risks by using tools the right way, by making sure that malfunctions don't lead to a cascade of further malfunctions, and - maybe most importantly - by *realising* and *keeping in mind* that nothing is ever perfectly secure. If you do that, you can use email for sensitive things just like you can use the phone network or the postal services or direct face-to-face communication; you merely have to be aware of the risks and how to manage/minimise them.
Panicking and crying "email is never secure!" isn't going to get you anywhere, really. You're just limiting yourself to other means of communication which are basically just as secure or insecure as email is, and given that statement, chances are you haven't really understood how security works, anyway, so you're probably less secure no matter what you do.
Telephones (Score:2)
With the advent of VoIP, crypto chips that you can buy off the shelf, etc, it would neither be difficult nor unreasonable f
Re:Well... (Score:2)
Re:Well... (Score:3, Interesting)
I agree. But again, the way I read the alert, isn't this a "Man In the Middle" attack?
Does it affect routers or the infrastructure of the Internet? Only insofar as domain registrars never validate change requests properly. A carefully-crafted attack could use this to appe
Re:Well... (Score:5, Informative)
It's a replay attack. I take a very terse/vague signed message that you've written and append important evil data to the front or back and resend it. The signature checks out and the meat of the message (the stuff I've added on to the front or end) appears to come from you.
This sort of problem has come up before in other contexts. When you sign an email, for example, it's doesn't include the headers or date. If your signed message is general enough, I can copy it and send it to someone else (GPG signatures verify the sender, not the recipient.) One of the situations where this has come up is in the Debian voting process. If a DD mistakenly sends their ballot to the wrong person, then changes their vote, anyone who has a copy of the old ballot can send it again and change the vote back. Debian safeguards against this by allowing each DD to see how their vote was cast after the vote is complete.
Re:Well... (Score:2)
That is not flaw in GPG, it is poor design. The vote should contain a timestamp and the most recent timestamp is the current vote. That doesn't cover the pos
Re:Well... (Score:2)
The Enigmail extension for T-Bird works as a front-end to GPG. I don't know if it can work with GPG in any other way.
Re:Well... (Score:3, Informative)
And very well it works too. I've been using it to communicate with someone who insists on encrypting their mail and it works fine. The biggest problem with it is that it somewhat assumes a familiarity with GPG in the first place to import keys and so on.
It works much better than SMIME which apps like Mozilla, Outlook Express have supported natively for years. SMIME is close to being unusable. It's not those app's faults (although the companys
Re:Well... (Score:2)
I guess the Enigmail [mozdev.org] folks aren't really doing anything then? Not sure if poster deserves an "Informative" moderation.
I think most of the major email clients support encryption beyond a "limited range of digital certificates". There are GPG plugins for Outlook. I'm not sure
Re:Security Flaw Discovered in GPG? (Score:2)
Re:Security Flaw Discovered in GPG? (Score:2)
No. Software is signed with detached signatures (that abcd.sig file that is distributed with the abcd.tar.gz). Detached signatures are not affected by this bug.
Re:Security Flaw Discovered in GPG? (Score:2)
Enjoy,
Re:Security Flaw Discovered in GPG? (Score:2)
But as pointed out earlier the bug only affects "inline" signatures.
Damn Microsoft!! (Score:4, Funny)
Quick! (Score:4, Funny)
Some facts about the flaw (Score:3, Informative)
This applies to a very specific case where a message is constructed by hand with multiple data packets and a single signature packet, so:
I say "might" as in all of these cases it depends on how GnuPG is called.
Re:Debian unstable's got me covered. Um NO. (Score:3, Informative)
1.4.2-2 is not equal to 1.4.2.2, and it is older than 1.4.2.2
the -2 is the 2nd Debian modification of 1.4.2
actually not (Score:3, Informative)
Re:Wonder... (Score:2)
Re:Wonder... (Score:2)
Re:Aha! (Score:2)