PGP Attack FAQ: Practical attacks

Most of the attacks outlined in the other sections are either not possible or not feasable by the average adversary. So, what can the average cracker do to subvert the otherwise stalwart security of PGP? As it turns out, there are several "doable" attacks that can be launched by the typical cracker. They do not attack the cryptosystem protocols themselves, (which have shown to be secure) but rather system specific implementations of PGP.

Passive attacks basically boil down to snooping or otherwise registering the user's activities while he is using PGP.

Active attacks go further. The attacker needs to actively interfere with the user's activities.

Table of contents

What passive attacks are known against PGP?

There are many passive attacks. Some often-suggested attacks are:

  • Keypress snooping
  • Van Eck snooping
  • Memory space snooping
  • Disk cache snooping
  • Packet sniffing

What is keypress snooping?

Keypress snooping is simply recording relevant keypresses by the user. If an attacker can install a keylogger, and capture the passphrase of an unwary target, then no cryptanalysis whatsoever is necessary. The attacker has the passphrase to unlock the RSA private key. The system is completely compromised.

The methods vary from system to system, but I would say DOS-based PGP would be the most vulnerable. DOS is the easiest OS to subvert, and has the most key-press snooping tools that I am aware of. All an attacker would have to do would be gain access to the machine for under 5 minutes on two seperate occasions and the attack would be complete. The first time to install the snooping software, the second time, to remove it, and recover the goods. (If the machine is on a network, this can all be done remotely and the ease of the attack increases greatly.) Even if the target boots clean, not loading any TSR's, a boot sector virus could still do the job, transparently.

Keypress snooping under Unix is a bit more complicated, as root access is needed, unless the target is entering her passphrase from an X-Windows GUI.

What is Van Eck snooping

Every computer monitor emits invisible radiation. This radiation can be captured remotely. If done the right way, the image shown on the monitor can be reconstructed remotely. This allows the attacker to observe whatever is going on on his victim's computer!

The relevance to PGP is obvious, and the threat is real. Snooping the passphrase from the keyboard, and even whole messages from the screen are viable attacks. This attack, however exotic it may seem, is not beyond the capability of anyone with some technical know-how and the desire to read PGP encrypted files.

What is memory space snooping?

In a multi-user system such as Unix, the physical memory of the machine can be examined by anyone with the proper privaleges (usally root). In comparison with factoring a huge composite number, opening up the virtual memory of the system (/dev/kmem) and seeking to a user's page and directly reading it, is trivial.

What is disk cache snooping?

In multitasking environments such as Windows, the OS has a nasty habit of paging the contents of memory to disk, usally transparently to the user, whenever it feels the need to free up some RAM. This information can sit, in the clear, in the swapfile for varying lengths of time, just waiting for some one to come along and recover it. Again, in a networked environment where machine access can be done with relative impunity, this file can be stolen without the owner's consent or knowledge.

What is packet sniffing?

Communication on TCP/IP networks such as the internet and most local area networks takes place by transmitting packets of information. In most networks every computer can capture all traffic for all other computers, because the packets are broadcasted to all computers. Packet sniffing simply is the process of capturing certain packets that "smell" interesting.

If you use PGP on a host which you access remotely, you can be vulnerable to this attack. Unless you use some sort of session encrypting utility, such as SSH, DESlogin, or some sort of network protocol stack encryption (end to end or link by link) you are sending your passphrase, and messages across in the clear. A packet sniffer sitting at a intermediate point between your terminal can capture all this information quietly and efficiently.

What active attacks are known against PGP?

There are several active attacks. Some often-suggested attacks are:

  • Trojan horses
  • Reworked code

What is a Trojan Horse attack?

A Trojan Horse is a malicious computer program that masquerades as a useful tool. The victim is tricked into executing the Trojan Horse because he does not know the malicious aspects. For instance, a Trojan Horse may install a keylogger or software that allows remote control of the victim's computer.

Although this is an old concept, this attack is still a very effective means of compromise. The concept of a trojan horse should not be foreign to anyone. An apparently harmless program that in reality is evil and does potentially malicious things to your computer. How does this sound...:

Some coder has come up with a kewl new Windows front-end to PGP. All the newbies run out and ftp a copy. It works great, with a host of buttons and scrollbars, and it even comes with a bunch of *.wav files and support for a SB AWE 32 so you can have the 16-bit CD quality sound of a safe locking when you encrypt your files. It runs in a tiny amount of memory, coded such that nothing leaks, it intercepts OS calls that would otherwise have their contents paged to disk and makes sure all the info stays in volatile memory. It works great (the first Windows app that does).

Trouble is, this program actually has a few lines of malevolent code that record your secret-key passphrase, and if it finds a modem (who doesn't have a modem these days?) it 'atm0's the modem and dials up a hard coded number to some compromised computer or modem bank and sends the info through.

Possible? Yes. Likely? No.

What is reworked code?

The code to PGP is publically available. Therefore it is easy to modify. If someone were to modify the sourcecode to PGP inserting a sneaky backdoor and leave it at some distribution point, the results could be disasterous.

However, this attack is very easy to detect. Simply verify the checksums. Patching the MD5 module to report a false checksum is also possible, so verify using a known good copy. A more devious attack would be to modify the code, compile it and surreptitouly plant in the target system. In a networked environment this can be done without ever having physical access to the machine.

All parts of this FAQ