Robert J. Hansen
rjh at sixdemonbag.org
Mon Jan 17 00:09:16 CET 2022
On this mailing list we sometimes see requests for help from people
running dangerously antique versions of GnuPG. Wasn't all that long ago
I was asked for help with something in the 1.2 series (!!). Without
exception, our first response is usually "for the love of God, upgrade!"
They rarely do. It's worked fine for them for a decade or more, and
they're not going to change...
On another mailing list I shared the story of how an AES256-encrypted
drive was bypassed by law-enforcement and the plaintext recovered. The
subject was using PGPdisk 6.0.2 on a Windows XP laptop, hibernated it,
and the AES key was written to disk where a forensic examiner later
picked it up.
This didn't happen because of bugs in either PGPdisk or Windows XP: it
was entirely due to the user ignoring Network Associates when they
warned him, "PGPdisk 6.0.2 was never designed for Windows XP and you
might be putting your data at risk by using it."
Interested in the full story? The write-up is below.
Not interested? Skip it, but please remember to upgrade your GnuPG
installation at least every few years. :)
> Technically, your team didn't break (or crack) AES256, it
> merely spotted the key (no small feat for sure!)
(Long and nerdy. All of this history is off the top of my head, no
notes. I may be in error in some places.)
Depends on how one considers side channel attacks! It's true that we
didn't successfully cryptanalyze the AES256 cipher, but we mounted a
successful attack on a *correctly-implemented* AES256 system. (That
"correctly-implemented" thing matters.)
PGPdisk 6.5.8-CKT is a misnomer. Network Associates, Inc., stopped
publishing PGPdisk source code after version 6.0.2. When NAI stopped
publishing PGP source code in late 2000, a group of hacktivists,
"Cyber-Knights Templar", led by a guy named Imad Faiad, took the last
published source code for 6.5.8 and used it to build their own version,
6.5.8-CKT. When people asked them to also include PGPdisk, Faiad took
the 6.0.2 PGPdisk source code, built PGPdisk 6.0.2, and included it in
the 6.5.8-CKT package.
Why does this matter?
'01 was a very interesting year for home computing. That was the year
Windows XP was released to home users. Prior home editions of Windows
were fundamentally MS-DOS... MS-DOS pushed as far as it could humanly
go, sure, but still MS-DOS.
There are two big mistakes people make when discussing Windows 95: one
is to think it was a graphical version of MS-DOS (it wasn't, it had
genuine hard breaks from its MS-DOS heritage), and the other is to think
it wasn't (it was, as evidenced by how it had to launch a new MS-DOS
instance, at least briefly, for every program it ran, including native
32-bit Windows ones).
Part of it being MS-DOS meant that pretty much every bit of hardware had
its own specialized device driver. Yes, we had laptops in 1995-2001
that could hibernate when you closed the lid -- but only if you had a
specialized device driver for your laptop (to make Windows aware of what
to do), and good luck with application support for hibernation.
Application developers couldn't be expected to support every device
This meant that PGPdisk 6.0.2 was *correctly written* for that era. It
wasn't aware of hibernation events because, well, pretty much nothing
was except Windows, and even then only with custom drivers loaded.
Then in August of 2001, Microsoft switched the consumer version of
Windows from MS-DOS to Windows NT. (Yes, every version of Windows from
Windows 2000 onwards is actually Windows NT. And Windows NT is
basically OpenVMS with the serial numbers filed off. Microsoft hired
Dave Cutler to design "Windows New Technology", and Cutler was the chief
architect of OpenVMS. Windows NT is basically a next-generation
OpenVMS, the same way MacOS is a next-generation NeXTSTEP.)
Anyway. We never saw *good* hibernation support in consumer grade
hardware until Windows XP... released August of 2001.
(Kinda true. Microsoft actually finally found a hackish way to do it
tolerably well in Windows Me, in 1999. But since all of about four
people worldwide bought Windows Me, we can discount this. Windows 2000
introduced good hibernation support, but that was a
business-and-enterprise Windows version. Windows XP was when it became
common in consumer-grade Windows.)
Whew. I'm getting somewhere, I promise.
So, post-XP, Microsoft had a standard, uniform way to do hibernation.
The user signals a hibernation event, and Windows in turn blasts a
message to each process saying "WE'RE CLOSING UP SHOP, WIPE ALL YOUR
But that message wasn't standardized until Windows 2000!
PGPdisk 6.0.2 was released in ... '98, I think? There's absolutely no
way PGPdisk could have known about it. And so, when it received that
notification, it does what every application does when it gets an
advisory message it doesn't know what to do with: it shrugged its
shoulders, said "meh", and kept going.
Why am I telling you this long story? Hell if I know. Let me re-read
Oh, right, that's where I'm going.
Some people hear my story of the downfall of Rajib Mitra and think "you
guys exploited a bug in PGPdisk."
We didn't. At no point did we find a bug in PGPdisk. PGPdisk was
But there's a reason why cryptographic software is only rated for
certain environments, and why it's so important to take security nerds
seriously when we caution, "that's very much not a recommended
The guys at Network Associates would tell anyone who asked, "if you plan
on running this on Windows XP you really need to use PGP 7 or later,
Microsoft made a ton of subtle changes to Windows, we can't guarantee
earlier versions of PGP will work correctly, you could be putting your
data at risk." Network Associates was very up-front about it.
But a ton of their users said, "nah, that's just a ploy to sell more
copies of PGP, why, I'm running PGPdisk 6.0.2 right now on my Windows XP
system and it works just fine..."
We didn't break the AES256 cipher, nor did we find a bug in PGPdisk. We
found a subtle conflict between the assumptions PGPdisk was making about
its environment ("we don't need to worry about hibernation because
there's no standard way to hibernate anyway") and the assumptions the
environment was making about PGPdisk ("when I tell it we're hibernating,
it will wipe sensitive data").
But it was one hell of a side channel attack, and it is unquestionably
true to say that we found a technological means to gain access to a
*correctly-implemented* AES256-encrypted drive.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 236 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users