|
|
| Previous | Table of Contents | Next |
The security of the PGP secret key ring is based on two things: access to the secret key ring data and knowledge of the pass phrase that is used to encrypt each secret key. Possession of both parts is needed to use the secret key. This also leads to a number of attacks, however.
If PGP is used on a multiuser system, access to the secret key ring is possible. Through cache files, network sniffing, or a multitude of other attacks, a secret key ring can be obtained just by watching the network or reading through the disks. This leaves only the pass phrase to protect the data in the secret key ring, which means an attacker needs to obtain only the pass phrase to break the security of PGP.
Moreover, on a multiuser system, the link between the keyboard and the CPU is probably insecure. Watching the keystrokes would be easy for anyone who has physical access to the network connecting the user’s keyboard to the mainframe being used. For example, users might be logged in from a public cluster of client terminals, where the connecting network can be sniffed for pass phrases. Alternatively, users might be dialing up via modem, in which case an eavesdropper could listen in on their keystrokes. In either case, running PGP on a multiuser machine is insecure.
Of course, the most secure way to run PGP is on a personal machine that no one else uses and is not connected to the network; in other words, a laptop or home computer. Users must balance the cost of a secure environment with that of secure communications. The recommended way to use PGP is always on a secure machine in a secure environment, where the user has control over the machine.
The key to the best type of security is that the connection between the keyboard and the CPU be secure. This is accomplished either by encryption or better yet by a direct, uninterruptible connection. Workstations, PCs, Macs, laptops—all fit into the category of secure machines. The secure environment is much more difficult to show and is not explored here.
Because of the importance and dependence on the public key ring, PGP is susceptible to a number of attacks against the key ring. First, the key ring is checked only when it changes. When new keys or signatures are added, PGP will attempt to verify them. However, it will flag the checked signatures on the key ring so it will not validate them again. If someone modifies the key ring and sets the bits appropriately on signatures, they will not be checked.
Another attack against the key ring focuses on the process PGP uses to set a bit for the validity trust in a key. When new signatures arrive on a key, PGP computes the validity of the key by using the Web of Trust values described earlier. PGP then caches the validity on the public key ring. An attacker could modify this bit on the key ring to force a user to trust the validity in an invalid key. For example, by setting this flag an attacker could make the user believe that a key belongs to Alice even though there are not enough signatures to prove that validity.
Another attack against PGP’s public key ring may occur because the trust of a key as an introducer is also cached on the public key ring. This value defines how much trust is put in this key’s signatures, so it is possible to force PGP to accept invalid keys as valid by signing them with the key with the invalid trust parameter. If a key were modified to be a fully trusted introducer, any keys that were signed by that key would be trusted as valid. Therefore, an attacker could force the user to believe that a forged key is valid by signing it with the modified key.
The biggest problem with the public key ring is that all of these bits are not only cached on the key ring, but they are not protected in any way on the key ring! Anyone who has read the PGP source code and has access to the public key ring can use a binary file editor to change any of these bits, and the key ring owner would never notice the change. Fortunately, PGP provides a way to recheck the keys on the key ring. By using the -kc and -km options together, a user can tell PGP to perform a key maintenance pass over the whole key ring. The former option tells PGP to check keys and signatures. It will go through the key ring and recheck every signature. When all the signatures have been checked, PGP will perform a maintenance check (-km) and recompute the validity of all the keys.
Unfortunately there is no way to completely recheck all of the trust bytes on keys. This is a bug. There should be a command to tell PGP to ignore all trust bytes and ask the user for trust starting with the ultimate keys—those on the secret key ring. Perhaps a future version of PGP will fix this problem. If a key is modified to be a trusted introducer, there is no easy way for you to find the change and fix it. Running the key and maintenance checks will revert the validity of a key, but not the trust value. Only running pgp -ke on a key will enable you to edit the trust parameters, and this cannot be done automatically.
If someone has access to the PGP binary, he or she can change it and do whatever they want it to do. If this meddler can replace your PGP binary from right underneath your nose, your trust in PGP would then be based on your trust in that person or your ability to actually verify the program. For example, an attacker with such access could change PGP to always validate signatures, even if the signature is invalid. PGP could be modified to always send a cleartext copy of all messages straight to the NSA. These kinds of attacks are difficult to detect and difficult to counteract. PGP needs to be a part of the trusted code base; if you cannot trust your PGP binary, then you cannot trust its output.
The best way to trust the PGP binary is to build it from sources yourself. That is not always possible, however. Alternatives involve watching it being built or getting it from a trusted source. It helps to look at the size and date of the binary. Using other trusted programs like md5sum can help. But this just pushes the problems down to another layer. If you cannot trust the PGP program, there is not much you can do.
| Previous | Table of Contents | Next |