Date: Fri, 11 Jun 1999 16:55:30 -0000 From: cezar@CS.NET.PL To: BUGTRAQ@netspace.org Subject: (fwd) SECURITY: afio: security hole in 'afio -P pgp' encrypted archives Hello, Just found it on comp.os.linux.announce. Sorry if it was already on the list. cezar -----BEGIN PGP SIGNED MESSAGE----- I believe that there are very few people who use afio's -P option for encrypting afio archive contents with pgp. If you do not use afio, pgp, or the 'afio -P pgp' option, it is safe to skip this message. I. Description Since version 2.4.2, the afio archiver has had an interface, the '-P pgp' command line option, which can be used to pgp-encrypt the file data written to an afio archive. Following up on some bug reports, I have recently discovered a security problem with this afio-pgp interface: pgp encryption is not always applied in the right way. This makes it possible to crack the encryption on the file data in an 'encrypted' archive produced using afio with the '-P pgp' option. The security of files which were already encrypted _before_ being written to the archive is not affected. The security hole is not in pgp itself, but in the interaction between afio and pgp. Other programs which interact with pgp to encrypt things are very unlikely to have a similar security hole. II. Impact It is possible to crack the encryption of at least some of the file data in the 'encrypted' archives produced using 'afio -P pgp'. This includes archives produced using the pgp_write example script included in the afio distribution. The attack against the broken archive encryption is obscure, but not impossible to find. The next version of afio (due out in 1-n months) will fix the security bug. By reverse-engineering the bug fix, it will be easier to find the attack. So the release of the next afio version will make already-existing 'afio -P pgp' archives more vulnerable. III. Solution _Existing archives_ produced with 'afio -P pgp' should really be treated with the same care (against theft etc.) as unencrypted archives. If such existing archives cannot be deleted or safely locked away, then encrypting the _entire_ existing archive file with pgp will protect it. Such completely encrypted archives will _not_ be fault-tolerant against storage media errors, like normal afio archives are. _New archives_ which really need to be protected with encryption can be made by having afio output the archive to stdout and piping this output through pgp: 'find [options] | afio -o [options] - | pgp [options] >device_or_file'. Such encrypted archives will _not_ be fault-tolerant against storage media errors, like normal afio archives are. The next version of afio (due out in 1-n months) will fix this security hole by which 'afio -P pgp' creates unsafe archives. On a personal note: I don't use PGP myself, and am not an expert in dealing with security bugs. Obviously, reporting the existence of the bug makes existing archives more vulnerable. Before I get flamed for handling this in entirely the wrong way: yes, I did ask some experts first, and this procedure is what came out. Koen. (current afio maintainer) - -- This article has been digitally signed by the moderator, using PGP. http://www.iki.fi/mjr/cola-public-key.asc has PGP key for validating signature. Send submissions for comp.os.linux.announce to: linux-announce@news.ornl.gov PLEASE remember a short description of the software and the LOCATION. This group is archived at http://www.iki.fi/mjr/linux/cola.html -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: latin1 iQCVAgUBN2A06FrUI/eHXJZ5AQFliAQAiY+ViFPj6ADX323dVh2P/H1BBD7lBs/8 pR+JYYNReWqmr75Nvx33KtxGjlZmr/DG5cLp6Wb91RD4Xj2qZQkpoEUq5BjjkGFh 6kUKBD49Z6G3XDEzlGUH1UBchvnB8zBTTHMG4T1KzL0xkXBDIn1GjrLNZSOiMyAs g1koMsqZANk= =yXea -----END PGP SIGNATURE----- -- end of forwarded message -- -- cezar CYBER Service / PKFL