RTS CryptoBuddy Multiple Encryption Implementation Vulnerabilities

[Mike () www securityfocus com, W () www securityfocus com, CISSP <mwcissp () yahoo com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RTS CryptoBuddy Multiple Encryption Implementation Vulnerabilities

__________________________________________________________________________
 Advisory Information
__________________________________________________________________________

Severity:                     High Risk

Vendor:                       Research Triangle Software, Inc.
Homepage:                     http://www.rtsz.com/ 

Advisory reported to vendor:  February 2, 2003

Author:                       Michael Whitehead, CISSP 
Author Contact:               mwcissp () yahoo com  

__________________________________________________________________________
 Vulnerability Summary
__________________________________________________________________________
The software has multiple vulnerabilities related to the implementation of
its passphrase and general encryption techniques.  The easiest to exploit 
is through use of a symmetric key injection attack.  An attacker can use 
the software to encrypt a dummy file with a passphrase of his or her 
choosing.  The resulting secret key can then be inserted into any other 
file that has been encrypted with the software.  The resulting file may 
then be decrypted using the software and the attacker's previously 
selected passphrase.  Details of this and other vulnerabilities can be 
found at the end of this advisory.

__________________________________________________________________________
 Solution
__________________________________________________________________________
There is no recommended solution at this time.  The vendor was very
responsive to this advisory and provided additional information to further
develop this advisory.  Vendor has indicated that the issues identified in
this advisory will be mitigated in the next version of the software.

__________________________________________________________________________
 Product Description
__________________________________________________________________________
This shareware product would be generally classified as a "security & 
encryption" file utility.

A description provided on one of the many shareware sites:

"CryptoBuddy(TM) (www.cryptobuddy.com) is an easy-to-use encryption 
program that allows individuals and corporations to effectively protect 
and encrypt their files and data. As the Internet increasingly becomes an
unsafe medium for transporting confidential information, CryptoBuddy 
enables you to take any file and quickly encrypt and compress it."

__________________________________________________________________________
 Affected Versions
__________________________________________________________________________

CryptoBuddy 1.2 and earlier versions.

O/S Notes: software is only available for Windows (Win95/98/ME/NT/2000/XP)

__________________________________________________________________________
 Solution 
__________________________________________________________________________

The use of this software should be determined relative to the risk. 

__________________________________________________________________________
 Advisory Detail
__________________________________________________________________________

PREFACE:
The software is intended to "effectively protect and encrypt" files.  As 
such, it DOES encrypt files.  The EFFECTIVENESS of the method used is key
to this advisory.  Since this product's primary purpose is to be used as 
a data encryption system, it is imperative that users of the software are 
fully aware of limitations in its effectiveness at protecting their data.  

==========================================================================
Item 1:
 Vulnerability-- Predictable File Schema; Secret key stored, not used to 
                 encrypt data
 Threat--        Unknown secret key can be replaced with known secret key
 Exposure--      Attacker can decrypt any encrypted file created by any 
                 user of this program
 Attack--        "Symmetric key injection" (see Note below).
 Tools--         hex editor, CryptoBuddy; exploit could be easily scripted
 Severity --     High
 
 Note-- I am using the term "Symmetric key injection attack" as I was 
        unable to find another term for this technique.

 Description-- A passphrase provided by the user is simply encrypted and 
 stored with the resulting ciphertext and is not actually used to encrypt 
 the plaintext.  It is stored in a predictable location (fixed-length, 
 reserved block) in the resulting ciphertext file (offset 120:15A). Since 
 the key is not used to encrypt the plaintext, the attacker can simply 
 encrypt an empty file, copy block 120:15A from the resulting encrypted 
 file, and replace the same block in ANY target file.  The target file can
 then be simply decrypted using the attacker's passphrase (and the 
 CryptoBuddy software).  Payload ciphertext is always appended to the end 
 of the passphrase block (at offset 15C, after a spacer byte (0x00) at 
 offset 15B).  This exploit works because the key is not used to encrypt 
 the plaintext.

 Additional note-  this exploit could be easily scripted.  
==========================================================================
Item 2:
 
 Vulnerability--     Encrypted passphrase has some predictability, weakly 
                     encrypted, not hashed, and unseeded/unsalted
 Attack--            Dictionary attack via predictable keys
 Attack--            Segmented brute forcing (like the LANMAN attacks)

 Severity--          High
 
 Description--  Obviously, these attacks are not preferred methods, as 
 Item #1 is easy to employ.  Note: I did not analyze the encryption 
 algorithm (no debugging/reverse engineering); however, since the software
 develops a predictable/known key for each passphrase, a dictionary could 
 be easily developed.

 Additionally, there appears to be a weakness in the passphrase algorithm, 
 in that the passphrase is broken into 4-byte segments; thus making 
 dictionary and brute force attacks substantially easier (by decreasing 
 the work factor).

 Some examples:

  [Plaintext Passphrase; (ASCII)] -> (Ciphertext Key (hex))
  ----------------------------------------------------------------------- 
  
  1234  -> 44F9FA2A174A3F8E 2A7D2C59DA0D6A3B
           ++++++++++++++++ **************** 

  12345 -> 44F9FA2A174A3F8E 2437EE3219DED143 
           ++++++++++++++++

  5678 ->  743575164122BA96 2A7D2C59DA0D6A3B 
                            ****************

  analysis: + = 1st 4 bytes are split, not hashed with entire passphrase;
            * = predictability related to passphrase length


  ----------------------------------------------------------------------
  12345678                         ->  44F9FA2A174A3F8E 6CB1A73BD2C69BA8

  1234567812345678                 ->  44F9FA2A174A3F8E E75E0CE089B45E02
                                       6CB1A73BD2C69BA8

  123456781234567812345678         ->  44F9FA2A174A3F8E E75E0CE089B45E02
                                       E75E0CE089B45E02 6CB1A73BD2C69BA8

  12345678123456781234567812345678 ->  44F9FA2A174A3F8E E75E0CE089B45E02
                                       E75E0CE089B45E02 E75E0CE089B45E02
                                       6CB1A73BD2C69BA8

  analysis: larger keys are highly repetitive and predictable

==========================================================================
Item 3:
 Vulnerability-- Passphrase key is truncated after the 55th byte of the 
                 passphrase
 Threat--        Long passwords (>55 bytes) provide no more entropy 
                 (strength) than the first 53 bytes (see Item 4, for 
                 explanation of why this isn't the "first 55 bytes")
 Severity--      Medium

 Note-- Items 3 and 4 are listed as "medium severity" ONLY because users 
        are less likely to use passphrases longer than 53 bytes. 

 Description--  A passphrase of >55 bytes is truncated, prior to being 
 encrypted and stored as the key.  This weakens the perceived strength of
 passphrases longer than 55 bytes.  Additionally,  this indicates that the
 passphrase is not hashed (or not well-hashed).
                        
==========================================================================
Item 4:
 Vulnerability-- Bytes 53 through 55 of a 55-byte or longer passphrase are 
                 stored in plaintext
 Threat--        Exposure of elements of the passphrase
 Severity--      Medium
  
 Description--   Self-explanatory

** end of advisory **
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPkc21XaPG39PRhvwEQJhXACeLSQRQN6GEDldNbF+u3fwTkL+tH4AoLrF
+xDCzlqHHNIqXJsino3yu9kR
=1ykT
-----END PGP SIGNATURE-----