-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 RTS CryptoBuddy Multiple Encryption Implementation Vulnerabilities __________________________________________________________________________ Advisory Information __________________________________________________________________________ Severity: High Risk Vendor: Research Triangle Software, Inc. Homepage: http://www.rtsz.com/ Advisory reported to vendor: February 2, 2003 Author: Michael Whitehead, CISSP Author Contact: mwcissp@yahoo.com __________________________________________________________________________ Vulnerability Summary __________________________________________________________________________ The software has multiple vulnerabilities related to the implementation of its passphrase and general encryption techniques. The easiest to exploit is through use of a symmetric key injection attack. An attacker can use the software to encrypt a dummy file with a passphrase of his or her choosing. The resulting secret key can then be inserted into any other file that has been encrypted with the software. The resulting file may then be decrypted using the software and the attacker's previously selected passphrase. Details of this and other vulnerabilities can be found at the end of this advisory. __________________________________________________________________________ Solution __________________________________________________________________________ There is no recommended solution at this time. The vendor was very responsive to this advisory and provided additional information to further develop this advisory. Vendor has indicated that the issues identified in this advisory will be mitigated in the next version of the software. __________________________________________________________________________ Product Description __________________________________________________________________________ This shareware product would be generally classified as a "security & encryption" file utility. A description provided on one of the many shareware sites: "CryptoBuddy(TM) (www.cryptobuddy.com) is an easy-to-use encryption program that allows individuals and corporations to effectively protect and encrypt their files and data. As the Internet increasingly becomes an unsafe medium for transporting confidential information, CryptoBuddy enables you to take any file and quickly encrypt and compress it." __________________________________________________________________________ Affected Versions __________________________________________________________________________ CryptoBuddy 1.2 and earlier versions. O/S Notes: software is only available for Windows (Win95/98/ME/NT/2000/XP) __________________________________________________________________________ Solution __________________________________________________________________________ The use of this software should be determined relative to the risk. __________________________________________________________________________ Advisory Detail __________________________________________________________________________ PREFACE: The software is intended to "effectively protect and encrypt" files. As such, it DOES encrypt files. The EFFECTIVENESS of the method used is key to this advisory. Since this product's primary purpose is to be used as a data encryption system, it is imperative that users of the software are fully aware of limitations in its effectiveness at protecting their data. ========================================================================== Item 1: Vulnerability-- Predictable File Schema; Secret key stored, not used to encrypt data Threat-- Unknown secret key can be replaced with known secret key Exposure-- Attacker can decrypt any encrypted file created by any user of this program Attack-- "Symmetric key injection" (see Note below). Tools-- hex editor, CryptoBuddy; exploit could be easily scripted Severity -- High Note-- I am using the term "Symmetric key injection attack" as I was unable to find another term for this technique. Description-- A passphrase provided by the user is simply encrypted and stored with the resulting ciphertext and is not actually used to encrypt the plaintext. It is stored in a predictable location (fixed-length, reserved block) in the resulting ciphertext file (offset 120:15A). Since the key is not used to encrypt the plaintext, the attacker can simply encrypt an empty file, copy block 120:15A from the resulting encrypted file, and replace the same block in ANY target file. The target file can then be simply decrypted using the attacker's passphrase (and the CryptoBuddy software). Payload ciphertext is always appended to the end of the passphrase block (at offset 15C, after a spacer byte (0x00) at offset 15B). This exploit works because the key is not used to encrypt the plaintext. Additional note- this exploit could be easily scripted. ========================================================================== Item 2: Vulnerability-- Encrypted passphrase has some predictability, weakly encrypted, not hashed, and unseeded/unsalted Attack-- Dictionary attack via predictable keys Attack-- Segmented brute forcing (like the LANMAN attacks) Severity-- High Description-- Obviously, these attacks are not preferred methods, as Item #1 is easy to employ. Note: I did not analyze the encryption algorithm (no debugging/reverse engineering); however, since the software develops a predictable/known key for each passphrase, a dictionary could be easily developed. Additionally, there appears to be a weakness in the passphrase algorithm, in that the passphrase is broken into 4-byte segments; thus making dictionary and brute force attacks substantially easier (by decreasing the work factor). Some examples: [Plaintext Passphrase; (ASCII)] -> (Ciphertext Key (hex)) ----------------------------------------------------------------------- 1234 -> 44F9FA2A174A3F8E 2A7D2C59DA0D6A3B ++++++++++++++++ **************** 12345 -> 44F9FA2A174A3F8E 2437EE3219DED143 ++++++++++++++++ 5678 -> 743575164122BA96 2A7D2C59DA0D6A3B **************** analysis: + = 1st 4 bytes are split, not hashed with entire passphrase; * = predictability related to passphrase length ---------------------------------------------------------------------- 12345678 -> 44F9FA2A174A3F8E 6CB1A73BD2C69BA8 1234567812345678 -> 44F9FA2A174A3F8E E75E0CE089B45E02 6CB1A73BD2C69BA8 123456781234567812345678 -> 44F9FA2A174A3F8E E75E0CE089B45E02 E75E0CE089B45E02 6CB1A73BD2C69BA8 12345678123456781234567812345678 -> 44F9FA2A174A3F8E E75E0CE089B45E02 E75E0CE089B45E02 E75E0CE089B45E02 6CB1A73BD2C69BA8 analysis: larger keys are highly repetitive and predictable ========================================================================== Item 3: Vulnerability-- Passphrase key is truncated after the 55th byte of the passphrase Threat-- Long passwords (>55 bytes) provide no more entropy (strength) than the first 53 bytes (see Item 4, for explanation of why this isn't the "first 55 bytes") Severity-- Medium Note-- Items 3 and 4 are listed as "medium severity" ONLY because users are less likely to use passphrases longer than 53 bytes. Description-- A passphrase of >55 bytes is truncated, prior to being encrypted and stored as the key. This weakens the perceived strength of passphrases longer than 55 bytes. Additionally, this indicates that the passphrase is not hashed (or not well-hashed). ========================================================================== Item 4: Vulnerability-- Bytes 53 through 55 of a 55-byte or longer passphrase are stored in plaintext Threat-- Exposure of elements of the passphrase Severity-- Medium Description-- Self-explanatory ** end of advisory ** -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBPkc21XaPG39PRhvwEQJhXACeLSQRQN6GEDldNbF+u3fwTkL+tH4AoLrF +xDCzlqHHNIqXJsino3yu9kR =1ykT -----END PGP SIGNATURE-----
