lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 26 May 2006 18:39:16 +0300 (IDT)
From: Alexander Klimov <alserkli@...ox.ru>
To: thesinoda@...mail.com
Cc: bugtraq@...urityfocus.com
Subject: Re: A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA ,
 PGP 8.x & 9.x and Truecrypt.


On Wed, 24 May 2006 thesinoda@...mail.com wrote:
> Steps to access PGP Encrypted Disk (Passphrase) using a Backdoor type attack
> [...]
>     * Now say you give that disk to someone and they changed the
>       passphrase on it. You can still access it

Intuitively, the system works as follows: a random key K is used to
encrypt all the data on the volume; the passphrase is used to encrypt
the key K. This design allows to change the passphrase without
reencrypting the whole drive (only K needs to be reencrypted). One
well-known side-effect is that if one knows K he can decrypt the data.

There is no `security bug' in a program --
it is just the user who does not even bother to read the FAQ
<http://www.truecrypt.org/faq.php>:

    Q: Is it secure to create a new container by cloning an
    existing container?

    A: You should always use the Volume Creation Wizard to
    create a new TrueCrypt volume. [...]


Btw, an `attack' similar to the one you described is also explained in
the same document:

    Q: We use TrueCrypt in a corporate environment. Is there
    a way for an administrator to reset a password when a
    user forgets it?

    A: There is no "back door" implemented in TrueCrypt.
    However, there is a way to "reset" a TrueCrypt volume
    password/keyfile. After you create a volume, backup its
    header (select Tools -> Backup Volume Header) before you
    allow a non-admin user to use the volume. Note that the
    volume header (which is encrypted with a header key
    derived from a password/keyfile) contains the master key
    with which the volume is encrypted. Then ask the user to
    choose a password, and set it for him/her (Volumes ->
    Change Volume Password); or generate a user keyfile for
    him/her. Then you can allow the user to use the volume
    and to change the password/keyfiles without your
    assistance/permission. In case he/she forgets his/her
    password or loses his/her keyfile, you can "reset" the
    volume password/keyfiles to your original admin
    password/keyfiles by restoring the volume header (Tools
    -> Restore Volume Header).

-- 
Regards,
ASK

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ