Mailing List Archive: GnuPG: users

Possible bug in gpg?

Index | Next | Previous | View Threaded

brad at 16systems

Jul 28, 2012, 11:18 AM

Post #1 of 11 (526 views)
Permalink

Possible bug in gpg?

Hi,

I have a symmetrically encrypted pgp file here:

http://16s.us/word_machine/downloads/pgp-easy.tgz.pgp

gpg will accept the three characters !=X as the password and exit with a
return status of 0 (although it does not actually decrypt the file):

$ gpg -d pgp-easy.tgz.pgp
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

$ echo $?
0

!=X is not the plaintext password that was used to encrypt the file. I was
hoping someone on the list might be able to help me understand why this
might happen. Could it be a bug in gpg, or OpenPGP itself? Here is my gpg
version:

$ gpg --version
gpg (GnuPG) 1.4.12

Here is --list-packets:

$ gpg --list-packets pgp-easy.tgz.pgp
:symkey enc packet: version 4, cipher 3, s2k 3, hash 2
salt 8dd17929c3935452, count 65536 (96)
gpg: CAST5 encrypted data
:encrypted data packet:
length: unknown
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

I don't yet know the actual plaintext password or the exact
commands/program used to encrypt the file, but I should know in a few
days. This is a file that's apart of the defcon password cracking contest
and I came across this and wanted to mention it here.

I'm not subscribed to this list, so please cc me if you want to reach me.

Thanks,

Brad

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

laurent.jumet at skynet

Jul 28, 2012, 3:46 PM

Post #2 of 11 (519 views)
Permalink

Re: Possible bug in gpg? [In reply to]

Hello Brad !

"Brad Tilley" <brad [at] 16systems> wrote:

> I have a symmetrically encrypted pgp file here:

> http://16s.us/word_machine/downloads/pgp-easy.tgz.pgp

> gpg will accept the three characters !=X as the password and exit with a
> return status of 0 (although it does not actually decrypt the file):

=== Begin Windows Clipboard ===
[C:\TEMP]gpg -v -v -v pgp-easy.tgz.pgp
gpg: using character set `CP858'
:symkey enc packet: version 4, cipher 3, s2k 3, hash 2
salt 8dd17929c3935452, count 65536 (96)
gpg: CAST5 encrypted data
:encrypted data packet:
length: unknown
gpg: encrypted with 1 passphrase
gpg: decryption okay
=== End Windows Clipboard ===

--
Laurent Jumet
KeyID: 0xCFAF704C

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

ben at adversary

Jul 28, 2012, 6:54 PM

Post #3 of 11 (518 views)
Permalink

Re: Possible bug in gpg? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 29/07/12 4:18 AM, Brad Tilley wrote:
> Hi,
>
> I have a symmetrically encrypted pgp file here:
>
> http://16s.us/word_machine/downloads/pgp-easy.tgz.pgp
>
> gpg will accept the three characters !=X as the password and exit
> with a return status of 0 (although it does not actually decrypt
> the file):
>
> $ gpg -d pgp-easy.tgz.pgp gpg: CAST5 encrypted data gpg: encrypted
> with 1 passphrase gpg: WARNING: message was not integrity
> protected

Yep, I got essentially the same thing:

bash-3.2$ gpg -vvv pgp-easy.tgz.pgp
gpg: using character set `utf-8'
:symkey enc packet: version 4, cipher 3, s2k 3, hash 2
salt 8dd17929c3935452, count 65536 (96)
gpg: CAST5 encrypted data
:encrypted data packet:
length: unknown
gpg: encrypted with 1 passphrase
gpg: decryption okay
gpg: WARNING: message was not integrity protected
bash-3.2$ pgpdump pgp-easy.tgz.pgp
Old: Symmetric-Key Encrypted Session Key Packet(tag 3)(13 bytes)
New version(4)
Sym alg - CAST5(sym 3)
Iterated and salted string-to-key(s2k 3):
Hash alg - SHA1(hash 2)
Salt - 8d d1 79 29 c3 93 54 52
Count - 65536(coded count 96)
New: Symmetrically Encrypted Data Packet(tag 9)(512 bytes) partial start
Encrypted data [sym alg is specified in sym-key encrypted session key]
New: (13 bytes) partial end
bash-3.2$

> !=X is not the plaintext password that was used to encrypt the
> file. I was hoping someone on the list might be able to help me
> understand why this might happen. Could it be a bug in gpg, or
> OpenPGP itself? Here is my gpg version:

I symmetrically encrypted another file with CAST5 (same version of GPG
as you) and tried the same trick. The !=X string did not produce the
the same message. Instead I received the expected "decryption failed:
bad key" message.

> I don't yet know the actual plaintext password or the exact
> commands/program used to encrypt the file, but I should know in a
> few days. This is a file that's apart of the defcon password
> cracking contest and I came across this and wanted to mention it
> here.

Ah. I suspect that it will either be something weird to do with
whatever software was used to encrypt the file or someone has found a
way to be sneaky with it. Either way, when all is revealed please
post a follow-up.

> I'm not subscribed to this list, so please cc me if you want to
> reach me.

Sure. There has only been one other response which it does not appear
was CC'd to you, but it didn't shed any light either.

Maybe someone else here will have some insight.

Regards,
Ben

-----BEGIN PGP SIGNATURE-----

iQGcBAEBCgAGBQJQFJfMAAoJEH/y03E1x1U8LjMMALwYzbh4l+8iXMeb34twWMpL
jOp/XOYwn47ybTaa/vx7F+f0fX/JJAP3pUXoRF5RwSKDv3tMie1qGL4Dfi8QCx8G
eY8q2ahz+hDnzoa95tLx3cMnFaz/D4uGpFXvolyS1Ml0V1my+OXLcf9kta9w4qjD
h+GXrF4atgeEykDQIDJAcqAYcAg/Pmae7AHSM7O8a1HWgwr1tChj1huaOJfRVszI
1tDp30S1M+ub+YPCXiU1o0LVCbioIPkvmSGFgqBI36+VTglfHvZv+sI7uSO+gszz
tjm27p8d5ZICujD8h57x2veLnrMbHsgv109cw6q3y6bQYU/bjaXp45Ba2INKLwKW
9+2DTpZuX4Q+eQ15o3YbWFjgcLTv378nO/JfQGLLNYx7JoJ3wz7vIGofUHEt5ek7
aWMXnkGrOXJUYJMTlS4PpsFx3fI7tqNQ9d4Df8MEIjiHp0ha2WaBOy/0AKtxBVFH
14QSgvgG9jWKprfFcHz8nIv/kk48M3XVscyz6TFAtA==
=XfJ8
-----END PGP SIGNATURE-----

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

brad at 16systems

Jul 28, 2012, 8:26 PM

Post #4 of 11 (512 views)
Permalink

Re: Possible bug in gpg? [In reply to]

>> Hi,
>> I have a symmetrically encrypted pgp file here:
>> http://16s.us/word_machine/downloads/pgp-easy.tgz.pgp
>> gpg will accept the three characters !=X as the password and exit with
a return status of 0 (although it does not actually decrypt the file):
>> $ gpg -d pgp-easy.tgz.pgp gpg: CAST5 encrypted data gpg: encrypted with
1 passphrase gpg: WARNING: message was not integrity
>> protected
>
> Yep, I got essentially the same thing:
>
> bash-3.2$ gpg -vvv pgp-easy.tgz.pgp
> gpg: using character set `utf-8'
> :symkey enc packet: version 4, cipher 3, s2k 3, hash 2
> salt 8dd17929c3935452, count 65536 (96)
> gpg: CAST5 encrypted data
> :encrypted data packet:
> length: unknown
> gpg: encrypted with 1 passphrase
> gpg: decryption okay
> gpg: WARNING: message was not integrity protected
> bash-3.2$ pgpdump pgp-easy.tgz.pgp
> Old: Symmetric-Key Encrypted Session Key Packet(tag 3)(13 bytes)
> New version(4)
> Sym alg - CAST5(sym 3)
> Iterated and salted string-to-key(s2k 3):
> Hash alg - SHA1(hash 2)
> Salt - 8d d1 79 29 c3 93 54 52
> Count - 65536(coded count 96)
> New: Symmetrically Encrypted Data Packet(tag 9)(512 bytes) partial start
> Encrypted data [sym alg is specified in sym-key encrypted session key]
> New: (13 bytes) partial end
> bash-3.2$
>
>> !=X is not the plaintext password that was used to encrypt the
>> file. I was hoping someone on the list might be able to help me
understand why this might happen. Could it be a bug in gpg, or
>> OpenPGP itself? Here is my gpg version:
>
> I symmetrically encrypted another file with CAST5 (same version of GPG
as you) and tried the same trick. The !=X string did not produce the
the same message. Instead I received the expected "decryption failed:
bad key" message.
>
>> I don't yet know the actual plaintext password or the exact
>> commands/program used to encrypt the file, but I should know in a few
days. This is a file that's apart of the defcon password
>> cracking contest and I came across this and wanted to mention it here.
>
> Ah. I suspect that it will either be something weird to do with
whatever software was used to encrypt the file or someone has found a
way to be sneaky with it. Either way, when all is revealed please post
a follow-up.
>
>> I'm not subscribed to this list, so please cc me if you want to reach me.
>
> Sure. There has only been one other response which it does not appear
was CC'd to you, but it didn't shed any light either.
>
> Maybe someone else here will have some insight.
>
>
> Regards,
> Ben

---

Thanks for the reply Ben, I've encountered several other plaintext strings
that cause the same behavior. Here's another one:

K02&10&![

It seems to work (gpg -d accepts the string and exits with status 0) but
again the data are not decrypted. Someone cracked this, so we should know
what the actual plaintext is soon.

Thanks again,

Brad

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

dshaw at jabberwocky

Jul 28, 2012, 9:48 PM

Post #5 of 11 (518 views)
Permalink

Re: Possible bug in gpg? [In reply to]

On Jul 28, 2012, at 2:18 PM, Brad Tilley wrote:

> Hi,
>
> I have a symmetrically encrypted pgp file here:
>
> http://16s.us/word_machine/downloads/pgp-easy.tgz.pgp
>
> gpg will accept the three characters !=X as the password and exit with a
> return status of 0 (although it does not actually decrypt the file):
>
> $ gpg -d pgp-easy.tgz.pgp
> gpg: CAST5 encrypted data
> gpg: encrypted with 1 passphrase
> gpg: WARNING: message was not integrity protected
>
> $ echo $?
> 0
>
> !=X is not the plaintext password that was used to encrypt the file. I was
> hoping someone on the list might be able to help me understand why this
> might happen. Could it be a bug in gpg, or OpenPGP itself? Here is my gpg
> version:

I haven't examined this file extensively, but assuming it isn't corrupt, or specifically engineered to be not decryptable in some way, I'm suspecting this is an example of a quick check failure. In OpenPGP, a message is made up of different packets. In your case you have a symmetric key encrypted session key packet (essentially instructions on how to mangle the passphrase into a session key), followed by an encrypted data packet, which is encrypted to the session key that results from the first packet. Normally, when decrypting, the client will read the first packet, prompt the user for a passphrase, and mangle the passphrase into a session key. Then it reads the second packet, and uses the session key to decrypt the data.

However, people being people, they can easily typo the passphrase, and given the method above, if the passphrase is wrong, the session key will be wrong, and the data decrypted will be gibberish. To combat this, OpenPGP has two "quick check" bytes in the encrypted data packet. Basically, they're a repetition of two random bytes from earlier in the message. The idea is that if the session key is wrong (i.e. the passphrase is wrong), the original random bytes won't match their repetition, and the client can immediately say "Wrong passphrase!" rather than blithely continue and potentially decrypt lots of data that won't turn out to be valid.

The practical upshot of this design is that while it works most of the time (in that virtually all incorrect passwords will be immediately flagged as such), each symmetrically encrypted message has the chance for other, incorrect, passphrases that nevertheless will pass the quick check. Obviously, these cannot decrypt the message, but they mangle into (invalid) session keys that just so happen to decrypt the data so that the 16-bit quick check matches, allowing the client to proceed, and decrypt (incorrectly) the rest of the data. Usually this fails fairly quickly afterwards as the data decrypted is not valid OpenPGP structures, so the client will stop with an error message about being unable to read the file.

In this particular case, the !=X passphrase passes the quick check, and the incorrectly decrypted data happens to look like a packet of packet type 0, of length 942141745. GPG ignores the invalid packet (there is no packet type 0), and so no output is generated.

So, assuming my guess is right, it's not a bug in OpenPGP or GnuPG (though perhaps giving an error when it saw the packet type of 0 would have been better), but a pretty unlikely confluence of events. How did you come up with the !=X passphrase? Exhaustive search? I'd be curious to find out what the real password is, once it is revealed.

Incidentally, these quick check bytes were used as the basis for an ingenious attack against OpenPGP a few years ago. See http://eprint.iacr.org/2005/033.pdf

David

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

brad at 16systems

Jul 29, 2012, 5:47 AM

Post #6 of 11 (504 views)
Permalink

Re: Possible bug in gpg? [In reply to]

<snip>

Thanks for the reply David. The file was actually cracked so we'll know
the plaintext sometime soon, although that may likely matter not.

> However, people being people, they can easily typo the passphrase, and
> given the method above, if the passphrase is wrong, the session key will
> be wrong, and the data decrypted will be gibberish. To combat this,
> OpenPGP has two "quick check" bytes in the encrypted data packet.
> Basically, they're a repetition of two random bytes from earlier in the
> message. The idea is that if the session key is wrong (i.e. the
> passphrase is wrong), the original random bytes won't match their
> repetition, and the client can immediately say "Wrong passphrase!" rather
> than blithely continue and potentially decrypt lots of data that won't
> turn out to be valid.

That seems like a reasonable check to make in most cases. I know that
symmetric-key algorithms will happily output garbage when the wrong
password is used and that may confuse some people, but then again, some
others may actually prefer that. If I was expecting a pdf file (upon
successful decryption) and there was no pdf header up front (only
randomish looking bytes all through the file), then that would be a decent
indication, to me, that the bytes I saw were not actually decrypted.

> The practical upshot of this design is that while it works most of the
> time (in that virtually all incorrect passwords will be immediately
> flagged as such), each symmetrically encrypted message has the chance for
> other, incorrect, passphrases that nevertheless will pass the quick check.
> Obviously, these cannot decrypt the message, but they mangle into
> (invalid) session keys that just so happen to decrypt the data so that the
> 16-bit quick check matches, allowing the client to proceed, and decrypt
> (incorrectly) the rest of the data. Usually this fails fairly quickly
> afterwards as the data decrypted is not valid OpenPGP structures, so the
> client will stop with an error message about being unable to read the
> file.
>
> In this particular case, the !=X passphrase passes the quick check, and
> the incorrectly decrypted data happens to look like a packet of packet
> type 0, of length 942141745. GPG ignores the invalid packet (there is no
> packet type 0), and so no output is generated.
>
> So, assuming my guess is right, it's not a bug in OpenPGP or GnuPG (though
> perhaps giving an error when it saw the packet type of 0 would have been
> better), but a pretty unlikely confluence of events. How did you come up
> with the !=X passphrase? Exhaustive search? I'd be curious to find out
> what the real password is, once it is revealed.

I wrote a small shell script to loop sending password attempts to gpg. I
found three words that caused this behavior in about two hours of trying.
Two of the words worked on the file I initially posted and the other one
on a different file in the contest. So, it seems rather common. Within a
day or so, I could probably generate dozens of words that cause this
behavior.

Thanks again,

Brad

> Incidentally, these quick check bytes were used as the basis for an
> ingenious attack against OpenPGP a few years ago. See
> http://eprint.iacr.org/2005/033.pdf
>
> David

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

johanw at vulcan

Jul 29, 2012, 6:29 AM

Post #7 of 11 (510 views)
Permalink

Re: Possible bug in gpg? [In reply to]

On 29-07-2012 6:48, David Shaw wrote:

> To combat this, OpenPGP has two "quick check" bytes in the encrypted data packet.
> Basically, they're a repetition of two random bytes from earlier in
the message.

Does this not lead to a possible known-plaintext attack on gpg?

--
ir. J.C.A. Wevers
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

rjh at sixdemonbag

Jul 29, 2012, 7:08 AM

Post #8 of 11 (512 views)
Permalink

Re: Possible bug in gpg? [In reply to]

On 7/29/2012 9:29 AM, Johan Wevers wrote:
> Does this not lead to a possible known-plaintext attack on gpg?

At risk of seeming condescending --

There is no such thing as a known-plaintext attack on GnuPG. There are
only known-plaintext attacks against the algorithms in GnuPG.

Since there are no practical known-plaintext attacks against any of the
algorithms in GnuPG, we can conclude this feature does not facilitate
any such attack.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

dshaw at jabberwocky

Jul 29, 2012, 9:11 AM

Post #9 of 11 (513 views)
Permalink

Re: Possible bug in gpg? [In reply to]

On Jul 29, 2012, at 9:29 AM, Johan Wevers wrote:

> On 29-07-2012 6:48, David Shaw wrote:
>
>> To combat this, OpenPGP has two "quick check" bytes in the encrypted data packet.
>> Basically, they're a repetition of two random bytes from earlier in
> the message.
>
> Does this not lead to a possible known-plaintext attack on gpg?

The attack a few years ago was chosen-ciphertext. For those who don't recall, if you have a system that will decrypt messages submitted to it, and will return an error if the message doesn't decrypt (i.e. you've made an oracle), you can use this attack to get 2 bytes out of every cipher block in 2^15 attempts on average, per block. It's not necessary for the attack, but if you know the first 2 bytes of the plaintext that helps start the chain (and in OpenPGP you can virtually always guess the contents of the first 2 bytes).

This is not a weakness of the cipher in question (it applies to all OpenPGP ciphers), but is due to the OpenPGP CFB "stutter" of the quick check.

Read the whole paper at http://eprint.iacr.org/2005/033.pdf It's interesting work.

This happened before RFC-4880 was published, so there is some discussion of it in there as well. It is why GnuPG (and possibly PGP - I don't recall offhand) ignores the quick check bytes when decrypting a public key encrypted message. We do still use them for symmetric messages for obvious reasons, which is why the original poster saw the oddity he did. I'm guessing he set up a brute force password cracker for that message and was surprised to see just how many passphrases "succeeded", but didn't manage to decrypt the message.

David

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

brad at 16systems

Jul 30, 2012, 6:45 AM

Post #10 of 11 (505 views)
Permalink

Re: Possible bug in gpg? [In reply to]

brad at 16systems

Jul 30, 2012, 11:32 AM

Post #11 of 11 (506 views)
Permalink

Re: Possible bug in gpg? [In reply to]

> I'd be curious to find out what the real password is, once it is revealed.

The actual password is glucose.

Brad

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads