Side-channel attacks

Robert J. Hansen rjh at sixdemonbag.org
Mon Jan 17 00:09:16 CET 2022 

On this mailing list we sometimes see requests for help from people 
running dangerously antique versions of GnuPG.  Wasn't all that long ago 
I was asked for help with something in the 1.2 series (!!).  Without 
exception, our first response is usually "for the love of God, upgrade!"

They rarely do.  It's worked fine for them for a decade or more, and 
they're not going to change...

On another mailing list I shared the story of how an AES256-encrypted 
drive was bypassed by law-enforcement and the plaintext recovered.  The 
subject was using PGPdisk 6.0.2 on a Windows XP laptop, hibernated it, 
and the AES key was written to disk where a forensic examiner later 
picked it up.

This didn't happen because of bugs in either PGPdisk or Windows XP: it 
was entirely due to the user ignoring Network Associates when they 
warned him, "PGPdisk 6.0.2 was never designed for Windows XP and you 
might be putting your data at risk by using it."

Interested in the full story?  The write-up is below.

Not interested?  Skip it, but please remember to upgrade your GnuPG 
installation at least every few years.  :)

=====
=====
=====

 > Technically, your team didn't break (or crack) AES256, it
 > merely spotted the key (no small feat for sure!)

(Long and nerdy.  All of this history is off the top of my head, no 
notes.  I may be in error in some places.)

Depends on how one considers side channel attacks!  It's true that we 
didn't successfully cryptanalyze the AES256 cipher, but we mounted a 
successful attack on a *correctly-implemented* AES256 system.  (That 
"correctly-implemented" thing matters.)

PGPdisk 6.5.8-CKT is a misnomer.  Network Associates, Inc., stopped 
publishing PGPdisk source code after version 6.0.2.  When NAI stopped 
publishing PGP source code in late 2000, a group of hacktivists, 
"Cyber-Knights Templar", led by a guy named Imad Faiad, took the last 
published source code for 6.5.8 and used it to build their own version, 
6.5.8-CKT.  When people asked them to also include PGPdisk, Faiad took 
the 6.0.2 PGPdisk source code, built PGPdisk 6.0.2, and included it in 
the 6.5.8-CKT package.

Why does this matter?

'01 was a very interesting year for home computing.  That was the year 
Windows XP was released to home users.  Prior home editions of Windows 
were fundamentally MS-DOS... MS-DOS pushed as far as it could humanly 
go, sure, but still MS-DOS.

There are two big mistakes people make when discussing Windows 95: one 
is to think it was a graphical version of MS-DOS (it wasn't, it had 
genuine hard breaks from its MS-DOS heritage), and the other is to think 
it wasn't (it was, as evidenced by how it had to launch a new MS-DOS 
instance, at least briefly, for every program it ran, including native 
32-bit Windows ones).

Part of it being MS-DOS meant that pretty much every bit of hardware had 
its own specialized device driver.  Yes, we had laptops in 1995-2001 
that could hibernate when you closed the lid -- but only if you had a 
specialized device driver for your laptop (to make Windows aware of what 
to do), and good luck with application support for hibernation. 
Application developers couldn't be expected to support every device 
driver directly!

This meant that PGPdisk 6.0.2 was *correctly written* for that era.  It 
wasn't aware of hibernation events because, well, pretty much nothing 
was except Windows, and even then only with custom drivers loaded.

Then in August of 2001, Microsoft switched the consumer version of 
Windows from MS-DOS to Windows NT.  (Yes, every version of Windows from 
Windows 2000 onwards is actually Windows NT.  And Windows NT is 
basically OpenVMS with the serial numbers filed off.  Microsoft hired 
Dave Cutler to design "Windows New Technology", and Cutler was the chief 
architect of OpenVMS.  Windows NT is basically a next-generation 
OpenVMS, the same way MacOS is a next-generation NeXTSTEP.)

Anyway.  We never saw *good* hibernation support in consumer grade 
hardware until Windows XP... released August of 2001.

(Kinda true.  Microsoft actually finally found a hackish way to do it 
tolerably well in Windows Me, in 1999.  But since all of about four 
people worldwide bought Windows Me, we can discount this.  Windows 2000 
introduced good hibernation support, but that was a 
business-and-enterprise Windows version.  Windows XP was when it became 
common in consumer-grade Windows.)

Whew.  I'm getting somewhere, I promise.

So, post-XP, Microsoft had a standard, uniform way to do hibernation. 
The user signals a hibernation event, and Windows in turn blasts a 
message to each process saying "WE'RE CLOSING UP SHOP, WIPE ALL YOUR 
SENSITIVE STUFF."

But that message wasn't standardized until Windows 2000!

PGPdisk 6.0.2 was released in ... '98, I think?  There's absolutely no 
way PGPdisk could have known about it.  And so, when it received that 
notification, it does what every application does when it gets an 
advisory message it doesn't know what to do with: it shrugged its 
shoulders, said "meh", and kept going.

=====

Why am I telling you this long story?  Hell if I know.  Let me re-read 
this and...

Oh, right, that's where I'm going.

=====

Some people hear my story of the downfall of Rajib Mitra and think "you 
guys exploited a bug in PGPdisk."

We didn't.  At no point did we find a bug in PGPdisk.  PGPdisk was 
correctly implemented.

But there's a reason why cryptographic software is only rated for 
certain environments, and why it's so important to take security nerds 
seriously when we caution, "that's very much not a recommended 
configuration..."

The guys at Network Associates would tell anyone who asked, "if you plan 
on running this on Windows XP you really need to use PGP 7 or later, 
Microsoft made a ton of subtle changes to Windows, we can't guarantee 
earlier versions of PGP will work correctly, you could be putting your 
data at risk."  Network Associates was very up-front about it.

But a ton of their users said, "nah, that's just a ploy to sell more 
copies of PGP, why, I'm running PGPdisk 6.0.2 right now on my Windows XP 
system and it works just fine..."

=====

We didn't break the AES256 cipher, nor did we find a bug in PGPdisk.  We 
found a subtle conflict between the assumptions PGPdisk was making about 
its environment ("we don't need to worry about hibernation because 
there's no standard way to hibernate anyway") and the assumptions the 
environment was making about PGPdisk ("when I tell it we're hibernating, 
it will wipe sensitive data").

But it was one hell of a side channel attack, and it is unquestionably 
true to say that we found a technological means to gain access to a 
*correctly-implemented* AES256-encrypted drive.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20220116/8b71b04d/attachment-0001.sig>

More information about the Gnupg-users mailing list