Posts tagged pgp

EvilMaid versus Full Disk Encryption (TrueCrypt & PGP)

Oct 16th

Posted by PaulSpoerry in Hacking

No comments

The Evil Maid Attack is an attack type against whole system disk encryption in a form of a small bootable USB stick image that allows to perform the attack in an easy “plug-and-play” way. The whole infection process takes about 1 minute, and it’s well suited to be used by hotel maids.

The Invisible Things blog goes into great detail on how most whole disk encryption is vulnerable in a relatively simple way. The scenario we consider is when somebody left an encrypted laptop e.g. in a hotel room. Let’s assume the laptop uses full disk encryption like e.g. this provided by TrueCrypt or PGP Whole Disk Encryption. Many people believe, including some well known security experts, that it is advisable to fully power down your laptop when you use full disk encryption in order to prevent attacks via FireWire/PCMCIA or ”Coldboot” attacks.  So, let’s assume we have a reasonably paranoid user, that uses a full disk encryption on his or her laptop, and also powers it down every time they leave it alone in a hotel room, or somewhere else.

Now, this is where our Evil Maid stick comes into play. All the attacker needs to do is to sneak into the user’s hotel room and boot the laptop from the Evil Maid USB Stick. After some 1-2 minutes, the target laptop’s gets infected with Evil Maid Sniffer that will record the disk encryption passphrase when the user enters it next time. As any smart user might have guessed already, this part is ideally suited to be performed by hotel maids, or people pretending to be them.

So, after our victim gets back to the hotel room and powers up his or her laptop, the passphrase will be recorded and e.g. stored somewhere on the disk, or maybe transmitted over the network (not implemented in current version).

Now we can safely steal/confiscate the user’s laptop, as we know how to decrypt it. End of story.

More >

, , , , , , , ,
PGP in Gmail

Gmail is getting PGP Signatures

Feb 13th

Posted by PaulSpoerry in Code

1 comment

Ok for those who don’t know what PGP is let’s first give a brief explanation. PGP stands for Pretty Good Privacy. PGP encryption uses public-key cryptography and includes a system which binds the public keys to a user name and/or an e-mail address. Basically, PGP can be used to detect whether a message has been altered since it was completed and to determine whether it was actually sent by the person/entity claimed to be the sender (aka it’s a digital signature). In short it allows you to encrypt information, check the received information was not altered, and verify that it is in fact who it came from.

I know that sounds all complicated, so let me try to break it into lamens terms. You download PGP and create a public key and a private key. They are both called keys… but I prefer to look at it like this: Public Key = lock, Private Key = key. Your public key can be shared with anyone. They can use your public key to encrypt anything they want and send it to you. Once they encrypt it with your public key (aka the lock) nobody can open it but you with your private key (aka the key)… not even the sender.

Phil Zimmermann created the first version of PGP encryption way back in 1991. It’s gone through several revisions since then, changed hands many times, and has finally landed back in the hands of several ex-PGP team members who formed a new company, PGP Corporation. Confusingly PGP stands for both the company, and the technology. In reality their are open source (free) implementations of PGP that you can use.

When PGP first hit it scared the CRAP out of the government. The spooks wanted to control strong encryption, at the time PGP was created Cryptosystems using keys larger than 40 bits were then considered munitions by the government; PGP has never used keys smaller than 128 bits so it qualified at that time. Penalties for violation, if found guilty, were substantial. Zimmerman found a very novel approach to getting around this which you can read up on here.

I’ve been a PGP user for a LONG time. Most people don’t understand why. To be honest, I have very few people with whom I can send encypted or digitally signed emails too. And that’s a shame. Most people don’t understand that email travels around the net UNENCRYPTED. That’s right… it’s just like writing a letter and not even putting it in an envelope.

Ok so what’s this have to do with Google and Gmail? Apparently, a new Gmail feature was spotted that checks if the PGP signature attached to a message is valid. The following was spotting in Gmail recently:

PGP in Gmail

So Google is playing around with public key cryptography to provide a method for employing digital signatures. Digital signatures enable the recipient of information to verify the authenticity of the information’s origin, and also verify that the information is intact. Sweet… if Google does this, digital signatures for the masses! Google has been pumping out new Labs features at a furious pace lately… hopefully we can expect to see this very soon!

To see code snippets and read more check out Google Operating System.

, , , , , , , , , , , , , ,