• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: OpenPGP Cipher Feedback Mode Chosen-Ciphertext Partial Plaintext Retrieval Vulnerability

Severity: HIGH

Description:

The OpenPGP Message Format Standard provides information on the message-exchange packet formats used by OpenPGP to provide encryption, decryption, signing, and key management functions. Many of the techniques described in the standard have been adopted into widely-used public key encryption programs.

OpenPGP can implement a variation of the cipher feedback (CFB) mode, which is a mode of operation for block ciphers. CFB takes a previous ciphertext block, encrypts it, and the result is combined with the plaintext block using exclusive-OR (XOR) to produce the current ciphertext block. An initialization vector is used as a seed for this process.

OpenPGP is reported prone to a vulnerability that may allow attackers to retrieve partial plaintexts from encrypted OpenPGP messages.

It is reported that a proof of concept chosen-ciphertext attack method has been developed that exploits a flaw in OpenPGP to disclose partial plaintexts from OpenPGP messages encrypted with symmetric encryption. Apparently when message are encrypted with the CFB mode, a design flaw in an integrity check feature can be exploited.

The integrity check attempts to avoid expensive decryption routines by replacing the CFB initialization vector and encrypting a random block as the initial block of ciphertext. The check uses two bytes from the random block in the second block of ciphertext, which allows for fast decryption by applying the symmetric key to only the first two blocks.

The chosen-ciphertext attack method needs to verify whether the integrity check was successful. This may be accomplished by checking for error messages resulting from a failure or by monitoring timing differences between successful and failed integrity check attempts. The first two bytes of a message block must be known as well. This can be derived from the known values of packet headers of OpenPGP messages that are used as the first two bytes of an encrypted message.

It should be noted that this attack is only viable against server-based implementations of OpenPGP as it requires an initial setup cost of 2^15 queries and a subsequent 2^15 queries per block to determine the success of the integrity check. A successful attack against clients would require the client user to manually decrypt the same message over 32000 times. However, server-based implementations may automatically decrypt messages with a reduced likelihood of detection, making the attack more practical.

The attack is also limited in the amount of information that can be disclosed from an encrypted message. As the attack only discloses the first two bytes of every encrypted block, only partial disclosure of a message is possible. A block size of 64 bits can be exploited to disclose 25 percent of encrypted information.

The OpenPGP standard is reported vulnerable to this issue. It is not known whether PGP or GNU Privacy Guard or other implementations are vulnerable. This BID will be updated when more information becomes available.

Affected Products:

• ALT Linux ALT Linux Compact 2.3.0
• ALT Linux ALT Linux Junior 2.3.0
• Caldera OpenLinux Server 3.1.1
• Caldera OpenLinux Workstation 3.1.1
• Conectiva Linux 7.0.0
• Conectiva Linux 8.0.0
• Conectiva Linux 9.0.0
• Debian Linux 3.0.0
• Debian Linux 3.0.0 alpha
• Debian Linux 3.0.0 arm
• Debian Linux 3.0.0 hppa
• Debian Linux 3.0.0 ia-32
• Debian Linux 3.0.0 ia-64
• Debian Linux 3.0.0 m68k
• Debian Linux 3.0.0 mips
• Debian Linux 3.0.0 mipsel
• Debian Linux 3.0.0 ppc
• Debian Linux 3.0.0 s/390
• Debian Linux 3.0.0 sparc
• Easy Software Products CUPS 1.1.20
• GNU GNU Privacy Guard 1.0.0
• GNU GNU Privacy Guard 1.0.0 .6
• GNU GNU Privacy Guard 1.0.1
• GNU GNU Privacy Guard 1.0.2
• GNU GNU Privacy Guard 1.0.3
• GNU GNU Privacy Guard 1.0.3 b
• GNU GNU Privacy Guard 1.0.4
• GNU GNU Privacy Guard 1.0.5
• GNU GNU Privacy Guard 1.0.6
• GNU GNU Privacy Guard 1.0.7
• GNU GNU Privacy Guard 1.2.0
• GNU GNU Privacy Guard 1.2.1
• GNU GNU Privacy Guard 1.2.2
• GNU GNU Privacy Guard 1.2.2 -r1
• GNU GNU Privacy Guard 1.2.2 -rc1
• GNU GNU Privacy Guard 1.2.3
• GNU GNU Privacy Guard 1.2.4
• Gentoo Linux
• Gentoo Linux 1.4.0 _rc1
• Gentoo Linux 1.4.0 _rc2
• Gentoo Linux 1.4.0 _rc3
• MandrakeSoft Corporate Server 2.1.0
• MandrakeSoft Corporate Server 2.1.0 x86_64
• MandrakeSoft Corporate Server 3.0.0
• MandrakeSoft Corporate Server 3.0.0 x86_64
• MandrakeSoft Linux Mandrake 10.0.0
• MandrakeSoft Linux Mandrake 10.0.0 amd64
• MandrakeSoft Linux Mandrake 10.1.0
• MandrakeSoft Linux Mandrake 10.1.0 x86_64
• MandrakeSoft Linux Mandrake 8.2.0
• MandrakeSoft Linux Mandrake 8.2.0 ppc
• MandrakeSoft Linux Mandrake 9.0.0
• MandrakeSoft Linux Mandrake 9.1.0
• MandrakeSoft Linux Mandrake 9.1.0 ppc
• MandrakeSoft Linux Mandrake 9.2.0
• MandrakeSoft Multi Network Firewall 2.0.0
• MandrakeSoft apcupsd 2006.0
• MandrakeSoft gnupg-1.0.7-3.1mdk.i586.rpm
• MandrakeSoft gnupg-1.0.7-3.1mdk.i586.rpm
• MandrakeSoft gnupg-1.0.7-3.1mdk.i586.rpm
• MandrakeSoft gnupg-1.0.7-3.1mdk.i586.rpm
• OpenPGP OpenPGP
• OpenPKG OpenPKG 1.1.0
• OpenPKG OpenPKG 1.2.0
• RedHat Enterprise Linux AS 2.1
• RedHat Enterprise Linux AS 2.1 IA64
• RedHat Enterprise Linux ES 2.1
• RedHat Enterprise Linux ES 2.1 IA64
• RedHat Enterprise Linux WS 2.1
• RedHat Enterprise Linux WS 2.1 IA64
• RedHat Linux 7.1.0 i386
• RedHat Linux 7.2.0 i386
• RedHat Linux 7.2.0 ia64
• RedHat Linux 7.3.0 i386
• RedHat Linux 8.0.0 i386
• RedHat Linux 9.0.0 i386
• RedHat Linux Advanced Work Station 2.1.0
• S.u.S.E. Linux Personal 8.2.0
• S.u.S.E. Linux Personal 9.0.0
• S.u.S.E. Linux Personal 9.0.0 x86_64
• S.u.S.E. Linux Personal 9.1.0
• S.u.S.E. Linux Personal 9.1.0 x86_64
• S.u.S.E. Linux Personal 9.2.0
• S.u.S.E. Linux Personal 9.2.0 x86_64
• Sun Linux 5.0.5
• Terra Soft Solutions Yellow Dog Linux 3.0.0
• Turbolinux Turbolinux Desktop 10.0.0
• Turbolinux Turbolinux Server 6.1.0
• Turbolinux Turbolinux Server 6.5.0
• Turbolinux Turbolinux Server 7.0.0
• Turbolinux Turbolinux Server 8.0.0
• Turbolinux Turbolinux Workstation 6.0.0
• Turbolinux Turbolinux Workstation 7.0.0
• Turbolinux Turbolinux Workstation 8.0.0
• Ubuntu Ubuntu Linux 4.1.0 ia32
• Ubuntu Ubuntu Linux 4.1.0 ia64
• Ubuntu Ubuntu Linux 4.1.0 ppc
• Ubuntu Ubuntu Linux 5.0.0 4 amd64
• Ubuntu Ubuntu Linux 5.0.0 4 i386
• Ubuntu Ubuntu Linux 5.0.0 4 powerpc
• Xpdf Xpdf 3.0.0 0
• libpng libpng 1.0.15
• libpng libpng3 1.2.5

References:

• ALT Linux: [security-announce] I: updated packages available
• CERT: Vulnerability Note VU#303094 OpenPGP vulnerable to chosen-ciphertext attacks
• PGP: OpenPGP flaw prompts quick fix
• Serge Mister & Robert Zuccherato: An Attack on CFB Mode Encryption As Used By OpenPGP

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.