PGP Vulnerability
Ryan Pierce / Townsend Analytics Ltd. / Archipelago LLC
20 Aug 2002 1:15PM ETAs described below, a recent vulnerability was found with PGP and GnuPG. While PGP itself isn't really the issue, the concern lies in how PGP is used.
This is quite possibly something that might impact the FIX PGP-DES-MD5 system due to how we use PGP.
Assume the following:
1. Alice sends Bob a FIX Logon. Call the plaintext containing the DES key, IV and channel binding P, and the resulting cyphertext C
2. Eve intercepts that Logon and steals C. This alone is useless, since Eve cannot decrypt C into P.
3. Eve modifies C in a special way, creating C'
4. Eve sends Bob a Logon using the modified C'
5. Bob decrypts it. It will decrypt to plaintext garbage that nobody can predict, which we will call P'. Bob then re-encrypts P' with Eve's public key, signs it, and sends it back to Eve as per the FIX protocol.
6. Eve decrypts it. At this point Eve knows C, C', and P'. Because of how C' was derived from C, Eve can use the resulting P' to compute P, which is the plaintext. This means that Eve now knows the DES key that Alice and Bob are using, and can decrypt all of their messages and impersonate either party.
There are some caveats with this approach:
1. If Alice and Bob used PGP compression, then this can foil the attack. I'm not sure if compression is enabled by default for these kinds of messages. For FIX, P is generally 24 bytes long, the first 16 of which are random hence not compressible, so PGP might not even try to compress the block.
2. Eve must have a way to get Bob to decrypt C' and send Eve the resulting P'. This means that either Eve must have a business relationship with Bob, or that Bob must be configured to allow anyone to initiate a FIX session to him and respond with a Logon containing the decrypted PGP block, without validating the message signature on the Logon.
Now from a practical standpoint, I don't know if this really lessens FIX security. Assuming firms don't allow strangers to talk to their FIX engine and get an encrypted Logon in response, this limits the attack to something that only one's business partners can implement.
Also, in the above example, it isn't exactly trivial for Eve to intercept the communication. I maintain that anyone who can successfully intercept leased line or Internet traffic and wants to cause harm or steal information can likely find the couple hundred thousand dollars necessary for custom ASIC chips to do a brute force DES decryption.
Migrating to SSL or TLS eliminates this specific attack, and, assuming only strong (112 bit or higher) cyphersuites are employed, substantially increases the computational resources required to brute force a key.
Details of the PGP attack are:
http://www.eweek.com/article2/0,3959,462170,00.asp
http://www.counterpane.com/pgp-attack.html
