About
"Czech attack"
(3) The
New York Times, March 21, 2001
(4) The
New York Times, March 23, 2001
(6) Bruce
Schneier about Czech attack
(7) Dorothy
Denning about Czech attack
(1) Press conference
20. 3. 2001, Press conference, ICZ, March 20, 2001, Prague, press release: http://www.i.cz/en/onas/tisk4.html
ICZ Press Release, March 20th, 2001
Czech
company ICZ cryptologists detected serious
security vulnerability of an international magnitude
Prague, March 20th, 2001 - A bug in worldwide
used OpenPGP format has been found. The bug can lead to discovery of user’s
private keys used in digital signature systems. OpenPGP format is widely used
in many worldwide spread applications, including massively used programs like
PGP(TM), GNU Privacy Guard, and others. The bug detection comes on
the right time, as Philip Zimmermann, the creator of PGP program, has left
Network Associates, Inc. and aims to boost OpenPGP format in other products for
privacy security on Internet. From the scientific point of view, the discovery
goes far beyond actual programs - it has wider theoretical and practical impact.
Decros (a
member company of ICZ group) cryptologists Vlastimil Klima and Tomas Rosa
detected insufficient security protection of private signature keys while
working on a research for the National Security Authority. The private
signature key is the most sensitive and therefore the most classified
information in all digital signature systems. The attack is described in detail
in a large research report. The report is to be released on Internet
(http://www.i.cz) in both Czech and English shortly.
The attack
on OpenPGP format leading to discovery of DSA and RSA private signature keys is
described in the research report. OpenPGP format is being proposed as an
Internet standard for exact definition of content and meaning of data records,
in relation to encryption and to digital signature.
This format
is used not only in PGPTM programs group, but also in other
applications, including GNU Privacy Guard. The list of products based on
OpenPGP is available on Internet at http://www.pgpi.org/products. OpenPGP format
and all the applications need to be reviewed the same way as PGPTM
program itself.
The attack
was successfully verified and demonstrated on PGPTM version 7.0.3
using AES and DH/DSS algorithms, which are deservedly being considered as
highly secure.
The serious
bug is caused by wrong implementation of the above-mentioned strongest
cryptographic techniques. The private signature key is the basic and the most
sensitive information in the whole system. The user is using it for digital
signature. In all systems, including OpenPGP, it is therefore protected by a
strong cipher. AES, one of the latest strong algorithms, has been used in the
attacked system. However, the protection appears to be illusory.
The authors
proved that attackers do not need to attack the strong cipher itself. They can
simply bypass it as well as the secret user’s passphrase. A slight modification
of the private key file followed by capturing a signed message is enough. These
tasks can be performed without knowledge of the user’s passphrase. After that,
a special program can be run on any office PC. Based on the captured message,
the program is able to calculate the user’s private key in half a second.
The attacker can then sign any messages instead of the attacked user. Despite
of very quick calculation, the program is based on a special cryptographic
know-how.
Insufficient
security of public and private parts of signature keys in OpenPGP format has
been analyzed for DSA and RSA algorithms. The step-by-step description of the
attack on both private signature keys is being demonstrated. The attacks apply
to all RSA and DSA parameter lengths (modules, keys).
The
demonstrated attacks have a strong impact on security of the programs mentioned
above. To complete the attack, it is not always necessary to visit the attacked
user’s workstation. The vulnerability of the system is also in the files with
exported private keys used by the user for transferring the keys between
workstations. The fact that the private key is stored in an encrypted form can
cause an illusory security feeling. If this file or diskette is captured by
an attacker during the transfer, the security of user’s private key is in
serious danger.
We can
often see that users store private key files on shared devices on a network to
maintain easy access. Knowing that the key is protected by a strong cipher, the
user considers such a storage to be safe enough. The authors proved that
this feeling is illusory. Typically, the server administrator can be the
attacker.
Knowing the
details of the demonstrated attack, the user of programs based on OpenPGP is in
a difficult situation when he/she realizes that an invalid signature value has
been generated. The user cannot be sure whether this happened because of the
attack, or ‘just’ because of a technical failure. It is obvious that every
file with an invalid signature has to be handled carefully, the same way as a
file with the private key in open form! This includes careful secure wiping of
the file from the workstation or the server.
The
completed analysis of the OpenPGP format has found serious defects that make
OpenPGP based applications vulnerable. The practical example is PGPTM
program which is not resistant to the attack on DSA algorithm. However, the
program is resistant to the attack on RSA algorithm because of additional
protections beyond OpenPGP format.
Though the attack relates to RSA and DSA algorithms in OpenPGP, similar vulnerabilities can be expected in other asymmetrical cryptographic systems, including systems based on elliptic curves. OpenPGP format and PGPTM program are likely not the only examples of systems that can be attacked because of insufficient protection of the parameters mentioned above. In the end of their research report, the authors propose cryptographic measures correcting OpenPGP format and PGPTM program as well. They strongly appeal for very careful design of cryptographic systems.
(2) Photogalery
Photogalery here.
(3)
The New York Times, March 21, 2001
Cryptologists Discover Flaw in E-Mail Security Program
By JAMES GLANZ
Two cryptologists announced yesterday that they had found a flaw in the most
widely used program for sending encrypted, or coded, e-mail messages. If
confirmed, the flaw would allow a determined adversary to obtain secret codes
used by senders of encrypted e-mail.
The program, called P.G.P. for Pretty Good Privacy, is used by human rights
organizations to protect vulnerable sources, by corporations to ensure secure
communications and by millions of individual users. American security experts
cautioned that they could not fully judge the accuracy of the claim, which was
issued in Prague, before more technical details become available. The experts
also noted that some sort of access to the sender's computer — either directly
or via the Internet — would be needed to exploit any such flaw.
According to a statement issued yesterday by ICZ, an information technology
company in Prague with about 500 employees, the cryptologists, Vlastimil Klima
and Tomas Rosa, found the problem while doing research on secure communications
for the Czech government.
"It is very serious," said Kriz Zdenek, general manager of ICZ,
adding that a technical paper on the finding would be made available by Friday
on the company's Web site (www.icz.cz/).
Mark McArdle, vice president of P.G.P. engineering at Network Associates in
Santa Clara, Calif., which licenses the encryption program to corporate and
individual users, said he had already assigned a team of engineers to check out
the claim, which he learned of yesterday from a journalist.
"We are very eager to both analyze this and respond to it," Mr.
McArdle said. "We want to make sure that our systems are completely
robust."
He expressed surprise that the Czech company did not inform him of the problem
so that a software fix, often called a patch, could be made available with the
announcement of any bug. But Miroslav Votruba, marketing director at ICZ, said
several e- mail messages informing Network Associates of the problem more than
a week ago received no response.
"We are willing to cooperate before the algorithm or description of the
problem will be released on the Web," Mr. Votruba said.
P.G.P. relies on a type of cryptography that uses two separate keys, one to
encode a message and one to decode it. The flaw claimed by the cryptographers
does not involve cracking the code itself, which is considered virtually
invulnerable, but would work around it by allowing an intruder to steal one of
the keys held privately by a user.
Without such a flaw or bug, the private key would be unavailable even to an
intruder who gained access to a computer, because it exists there only in
scrambled form. The ICZ announcement says there is a way to unscramble it but
gives few details. Mr. McArdle said such a bug would mainly affect the coded
electronic "signatures" that allow the recipient to verify the
sender's identity. In effect, it would allow the intruder to impersonate the
sender in future communications.
"This is probably real," said Bruce Schneier, founder and chief
technology officer of Counterpane Internet Security in San Jose, Calif.,
referring to the bug. But he said it showed that e-mail security involved more
than simply protecting the message in transit on the Internet.
Dr. Michael A. Caloyannides, a senior fellow at Mitretek Systems in McLean,
Va., said the bug would be "a bit of a shock," since P.G.P. had been
considered essentially invulnerable. And Matthew Zimmerman, project coordinator
for the Science and Human Rights Program of the American Association for the
Advancement of Science, confirmed that his organization routinely used P.G.P.
to protect dissidents and informers around the world.
But even if the problem does turn out to be serious, said Jonathan Zuck,
president of the Association for Competitive Technology in Washington, an
industry group involving information technology, security-conscious Internet
users should not panic.
"This kind of technology arms race is always a factor in any new
technology standard," Mr. Zuck said, adding that the eventual result
should be an improved encryption program.
(4) The New York Times, March 23, 2001
Experts Differ on How Flaw Will Affect Coded E-Mail
By JAMES GLANZ
Security experts have confirmed that the most widely used program for sending
encrypted e-mail messages has an obscure vulnerability that could allow a
determined intruder to obtain secret codes, as two Czech cryptologists
announced on Tuesday.
But some experts differ sharply with the cryptologists on the practical
importance of the vulnerability, which is now believed to have existed in the
program since it was invented a decade ago. The program — called P.G.P., for
Pretty Good Privacy — is used by millions of people around the world.
The cryptologists, Dr. Vlastimil Klima and Tomas Rosa of ICZ, an information
technology company in Prague, said the flaw could allow an intruder to forge
the "digital signature" that senders of encrypted e- mail use to
identify themselves in secret communications or financial transactions.
Mark McArdle, vice president for P.G.P. engineering at Network Associates in
Santa Clara, Calif., which licenses the program to corporate, organizational
and individual users, agreed that Dr. Klima and Mr. Rosa were correct. But Mr.
McArdle said their technique was impractical, since it required access to
digital files that should exist only on the sender's computer or on a secure
floppy disk.
The cryptologists strongly disagree, saying the files are often floating about
in shared computer networks or in computers with open links to the Internet.
Everyone seems to agree that the episode reveals how elusive privacy has become
in the age of electronic communication, when only multiple precautions designed
by security professionals have a chance — and even then sometimes fall short.
"It is a very practical attack," Dr. Klima said of the method he and
Mr. Rosa developed. Since workers on computer networks often wish to use P.G.P.
at multiple workstations, a scrambled form of their signature code — which they
can unscramble using a phrase known only to them — may exist in a central
repository accessible to system administrators and others. Only the file
containing the scrambled code is required for the attack, Dr. Klima said.
But Mr. McArdle said his company specifically recommended
that the file be kept in a secure location and not on a network. He said
exceptions to this practice were so rare that his company might not even offer
software to patch the vulnerability until a new version of P.G.P. becomes
available, perhaps next summer.
Philip Zimmermann, P.G.P.'s inventor, who is no longer affiliated with Network
Associates, refused even to call the discovery a flaw, saying it was merely an
interesting "mathematical observation," since any hacker who gained
access to a secure computer — where the codes should be kept — could do far
more damage than simply forge e-mail messages. For example, in 1999 federal
agents planted a so-called sniffer in the keyboard of an organized- crime
suspect to obtain all his passwords.
Because encrypted digital signatures gained legal standing last year, however,
in a bill signed by President Bill Clinton, the P.G.P. vulnerability has caught
the attention of the online security community.
Some security experts said the episode illustrated that as a practical matter,
ordinary users of the Internet had little hope of maintaining privacy in the
face of a sophisticated adversary.
"The reality of life is that, in fact, the majority of people do not
diligently guard their keys," said Dr. Michael A. Caloyannides, a senior
fellow at Mitretek Systems in McLean, Va. Against a determined intruder, he
said, "it's kind of like locking the front door and leaving the back door
wide open."
(5) Czech television about it
28. 3. 2001, ČESKÁ TELEVIZE, news "Tady a teď", record (RealPlayer, 3.7MB), photogalery.
(6) Bruce Schneier about Czech attack
"A vulnerability was found in the OpenPGP standard. If an attacker can modify the victim's encrypted private key file, he can intercept a signed message and then figure out the victim's signing key. This is a problem with the data format, and not with the cryptographic algorithms. I don't think it's a major problem, since someone who can access the victim's hard drive is more likely to simply install a keyboard sniffer. But it is a flaw, and shows how hard it is to get everything right. Excellent cryptanalysis work here."
Bruce Schneier
CTO, Counterpane Internet Security
http://www.counterpane.com/crypto-gram.html
(7) Dorothy Denning about Czech attack
"Your report on the vulnerabilities of PGP signatures is most interesting. Congratulations on your fine work."
Prof. Dorothy E. Denning
Georgetown University
http://www.cs.georgetown.edu/~denning
(8) Further reports
Further articles, reports and information about it were in all main Czech media (television, radio, newspapers, magazines), in many foreign media and in a lot of internet sources (ZDNet, CNET, ACM, CNN, TheRegister and others).