Date: Fri, 11 Jun 1999 16:55:30 -0000
From: cezar@CS.NET.PL
To: BUGTRAQ@netspace.org
Subject: (fwd) SECURITY: afio: security hole in 'afio -P pgp' encrypted archives

Hello,


Just found it on comp.os.linux.announce. Sorry if it was already on the list.


cezar

-----BEGIN PGP SIGNED MESSAGE-----


I believe that there are very few people who use afio's -P option for
encrypting afio archive contents with pgp.  If you do not use afio,
pgp, or the 'afio -P pgp' option, it is safe to skip this message.

I. Description

  Since version 2.4.2, the afio archiver has had an interface, the '-P
  pgp' command line option, which can be used to pgp-encrypt the file
  data written to an afio archive.  Following up on some bug reports, I
  have recently discovered a security problem with this afio-pgp
  interface: pgp encryption is not always applied in the right way.
  This makes it possible to crack the encryption on the file data in an
  'encrypted' archive produced using afio with the '-P pgp' option.

  The security of files which were already encrypted _before_ being
  written to the archive is not affected.  The security hole is not in
  pgp itself, but in the interaction between afio and pgp.  Other
  programs which interact with pgp to encrypt things are very unlikely
  to have a similar security hole.

II. Impact

  It is possible to crack the encryption of at least some of
  the file data in the 'encrypted' archives produced using 'afio -P
  pgp'.  This includes archives produced using the pgp_write example
  script included in the afio distribution.

  The attack against the broken archive encryption is obscure, but not
  impossible to find.  The next version of afio (due out in 1-n
  months) will fix the security bug.  By reverse-engineering the bug
  fix, it will be easier to find the attack.  So the release of the
  next afio version will make already-existing 'afio -P pgp' archives
  more vulnerable.

III. Solution

  _Existing archives_ produced with 'afio -P pgp' should really be
  treated with the same care (against theft etc.) as unencrypted
  archives.  If such existing archives cannot be deleted or safely
  locked away, then encrypting the _entire_ existing archive file with
  pgp will protect it.  Such completely encrypted archives will _not_ be
  fault-tolerant against storage media errors, like normal afio
  archives are.

  _New archives_ which really need to be protected with encryption can
  be made by having afio output the archive to stdout and piping this
  output through pgp: 'find [options] | afio -o [options] - | pgp
  [options] >device_or_file'.  Such encrypted archives will _not_ be
  fault-tolerant against storage media errors, like normal afio
  archives are.

  The next version of afio (due out in 1-n months) will fix this
  security hole by which 'afio -P pgp' creates unsafe archives.


On a personal note: I don't use PGP myself, and am not an expert in
dealing with security bugs.  Obviously, reporting the existence of the
bug makes existing archives more vulnerable.  Before I get flamed for
handling this in entirely the wrong way: yes, I did ask some experts
first, and this procedure is what came out.


Koen. (current afio maintainer)




- --
This article has been digitally signed by the moderator, using PGP.
http://www.iki.fi/mjr/cola-public-key.asc has PGP key for validating signature.
Send submissions for comp.os.linux.announce to: linux-announce@news.ornl.gov
PLEASE remember a short description of the software and the LOCATION.
This group is archived at http://www.iki.fi/mjr/linux/cola.html

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1

iQCVAgUBN2A06FrUI/eHXJZ5AQFliAQAiY+ViFPj6ADX323dVh2P/H1BBD7lBs/8
pR+JYYNReWqmr75Nvx33KtxGjlZmr/DG5cLp6Wb91RD4Xj2qZQkpoEUq5BjjkGFh
6kUKBD49Z6G3XDEzlGUH1UBchvnB8zBTTHMG4T1KzL0xkXBDIn1GjrLNZSOiMyAs
g1koMsqZANk=
=yXea
-----END PGP SIGNATURE-----
-- end of forwarded message --

--
cezar
CYBER Service / PKFL