Mailing List Archive: Seeking Assurance on Security and Memory Leaks in SuSE GnuPG

Seeking Assurance on Security and Memory Leaks in SuSE GnuPG

Aug 27, 2022, 8:17 AM

Post #1 of 5 (452 views)

I have recently been seeking assurances on protection of sensitive
data on my SuSE Leap 15.4 system, and protection of passwords.

Issues discussed concern gpg2 2.2.27-150300.3.5.1, and keepassxc
2.7.1-bp154.3.3.1; together with hypothetical queries on Youbikey as
libykpers-1-1 1.19.0-4.19.

Protection of Symmetric passwords (or passphrases) usually involves a
Key Distribution Function (KDF) which "mangles" the User password to
produce the "master key" which is actually used to encrypt sensitive
material. The KDF is deliberately designed to be slow (eg thousands to
millions of AES-256 rounds) and, more recently, also designed to
require substantial memory (eg Argon2). This is to slow brute-force
attack on passphrases (which may have limited entropy to permit
memorability), and (more recently) to limit the use of GPU and/or
ASIC-based brute-force attack.

The KeePass password safe
(https://keepass.info/help/base/security.html) helpfully describes its
security features, such as encryption of whole database, random-salted
adjustable KDF (multiple AES-256, or Argon2; together with timing of
KDF function --- eg 1 second). When running: sensitive data stored
encrypted in secure process memory, and over-writing such memory
before release. Internal viewer/edit available, which avoids putting
data onto disk. Anti-keylogger facilities --- although additional
hardware may be needed to protect against hardware-based keyloggers
located between keyboard and computer.

Uncertainty: Does a Yubikey make a KeePass pasword available through
secure process memory? Can anyone point me to a description?

Having discovered encrypted PDFs are essentially broken
(https://www.kaspersky.com/blog/36c3-pdf-encryption/33827/), I have
been looking more carefully at encrypted archive formats, both for
communication and storage (eg of PDF files), and both during User use
and for 'data at rest' --- which may be vulnerable to hacking.

As a long-time user of GnuPG, with hindsight I am now concerned at
having failed to find any description of GnuPG security aspects
similar to that above for KeePass. Perhaps these security requirements
are so obvious they do not need describing explicitly, but the cynic
in me would like to see something more concrete.

Worryingly, the Enigmail Handbook
(https://www.enigmail.net/documentation/Enigmail_Handbook_1.8_en.pdf
Section 8.2) merely notes `You should be aware ... that your encrypted
mails are as safe as allowed by the computer you use Enigmail on. ...
If your computer is infected with a key logger and a malware that
grants an intruder remote access on your files, all the cryptographic
robustness of OpenPGP and the strongest passphrase won't protect your
messages from being snooped or falsified'. This sounds like a 'Counsel
of Perfection' which is not particularly helpful.

Does anyone know of a clear description of security aspects in GnuPG,
comparable to that above for KeePass?

On 29 Nov 2021, Spectra Secure noted
(https://www.youtube.com/watch?v=j-qBChKG15Y , starting 2:00) that
although gpg has '--s2k' settings that are supposed to change the weak
default (cipher, digest hash, and digest-hash rounds-count) algorithms
from AES-128, SHA-1 and a low count --- for key export --- it will
ignore these setting without even giving a warning. A bug-report has
been in place since 2017, although this has never been fixed. However,
a subsequent comment (from skeeto on reddit) suggested that the
'export' gpg protection differed from that of the keyring, so you
cannot infer a problem with conventional use of the keyring.

OK, so I have been doing a little experimentation. Using the KeePass
KDF timing of AES-KDF, my 2011 12-thread processor i7-3930K CPU at 3.2
GHz (CPUMark 8,247) performs a KDF of 23,400,000 AES-KDF rounds in
1.0~s (and time was proportional to the number of rounds). This is a
highly serial process, so must be performed on a single thread. In
principle, this processor could achieve (say) 12 X 23,400,000 =
280,800,000 AES-256 rounds in 1~s while brute-forcing 12 potential
passwords. The 2021 i7-12700K (CPUMark 34,460: 4.2-fold faster),
costing less than GBP 400, could in principle achieve one billion (one
thousand million) AES-256 rounds per second --- and faster speeds
would be available from multiple processors, GPUs, or ASIC-based
devices.

We now time the encryption of a 28 Byte or 565 kByte plaintext file,
with various 'count' values via:

time gpg2 -c --s2k-cipher-algo AES256 --s2k-digest-algo SHA256 \
--s2k-count 2097152 cleartext_file

with a short 11-character password. In practice, although we are
timing an encryption, for high 'count' values the KDF process will
dominate timing, and the known password details will be irrelevant. We
present only User time, as System time is negligible:

Some results are:
For 28 Byte cleartext:

Count User Time (s)
1024 0.237
131072 0.005
2097152 0.013
65011712 0.320

For 565 kByte cleartext:

Count User Time (s)
1024 0.245
131072 0.020
2097152 0.033
65011712 0.341

We see the cleartext length is not greatly significant, especially at
higher count values, but the User Time is nowhere near linear with
count --- which one would expect. For a count of 65,011,712 rounds,
the Time is around 0.33 seconds. On the same machine, 23,400,000
AES-KDF rounds were completed in 1.0~s (with a linear relationship),
implying that at the s2k maximum count of 65,011,712, the gpg code is
a factor of (65,011,712 / 0.33) / (23,400,000 / 1.0) = 8.4 times
faster than the KeePass code, with much smaller factors for lower
count values. This all sounds highly inconsistent and suspicious ---
and the lengthy timing for a count of 1024 is completely unexplained.

It is difficult to avoid the suspicion that the s2k parameters are not
doing what is stated in the info gpg. In particular, it is unclear
whether the gpg KDF is protecting the master key as expected.

This sounds like a bug. Can anyone explain what is happening?

If a Yubikey is used to store the User passphrase for gpg, is it
passed to the gpg code via secured memory which is overwritten before
close-down?

I am hoping someone will be able to help me on these points.

Tony

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Seeking Assurance on Security and Memory Leaks in SuSE GnuPG [ In reply to ]

gnupg-users at gnupg

Aug 27, 2022, 12:00 PM

Post #2 of 5 (452 views)

Permalink

Very interesting question indeed, Tony!

On 8/27/22 15:17, Tony Lee via Gnupg-users wrote:
> I have recently been seeking assurances on protection of sensitive
> data on my SuSE Leap 15.4 system, and protection of passwords.
>
> Issues discussed concern gpg2 2.2.27-150300.3.5.1, and keepassxc
> 2.7.1-bp154.3.3.1; together with hypothetical queries on Youbikey as
> libykpers-1-1 1.19.0-4.19.
>
>
> Protection of Symmetric passwords (or passphrases) usually involves a
> Key Distribution Function (KDF) which "mangles" the User password to
> produce the "master key" which is actually used to encrypt sensitive
> material. The KDF is deliberately designed to be slow (eg thousands to
> millions of AES-256 rounds) and, more recently, also designed to
> require substantial memory (eg Argon2). This is to slow brute-force
> attack on passphrases (which may have limited entropy to permit
> memorability), and (more recently) to limit the use of GPU and/or
> ASIC-based brute-force attack.
>
> The KeePass password safe
> (https://keepass.info/help/base/security.html) helpfully describes its
> security features, such as encryption of whole database, random-salted
> adjustable KDF (multiple AES-256, or Argon2; together with timing of
> KDF function --- eg 1 second). When running: sensitive data stored
> encrypted in secure process memory, and over-writing such memory
> before release. Internal viewer/edit available, which avoids putting
> data onto disk. Anti-keylogger facilities --- although additional
> hardware may be needed to protect against hardware-based keyloggers
> located between keyboard and computer.
>
> Uncertainty: Does a Yubikey make a KeePass pasword available through
> secure process memory? Can anyone point me to a description?
>
> Having discovered encrypted PDFs are essentially broken
> (https://www.kaspersky.com/blog/36c3-pdf-encryption/33827/), I have
> been looking more carefully at encrypted archive formats, both for
> communication and storage (eg of PDF files), and both during User use
> and for 'data at rest' --- which may be vulnerable to hacking.
>
> As a long-time user of GnuPG, with hindsight I am now concerned at
> having failed to find any description of GnuPG security aspects
> similar to that above for KeePass. Perhaps these security requirements
> are so obvious they do not need describing explicitly, but the cynic
> in me would like to see something more concrete.
>
> Worryingly, the Enigmail Handbook
> (https://www.enigmail.net/documentation/Enigmail_Handbook_1.8_en.pdf
> Section 8.2) merely notes `You should be aware ... that your encrypted
> mails are as safe as allowed by the computer you use Enigmail on. ...
> If your computer is infected with a key logger and a malware that
> grants an intruder remote access on your files, all the cryptographic
> robustness of OpenPGP and the strongest passphrase won't protect your
> messages from being snooped or falsified'. This sounds like a 'Counsel
> of Perfection' which is not particularly helpful.
>
> Does anyone know of a clear description of security aspects in GnuPG,
> comparable to that above for KeePass?
>
> On 29 Nov 2021, Spectra Secure noted
> (https://www.youtube.com/watch?v=j-qBChKG15Y , starting 2:00) that
> although gpg has '--s2k' settings that are supposed to change the weak
> default (cipher, digest hash, and digest-hash rounds-count) algorithms
> from AES-128, SHA-1 and a low count --- for key export --- it will
> ignore these setting without even giving a warning. A bug-report has
> been in place since 2017, although this has never been fixed. However,
> a subsequent comment (from skeeto on reddit) suggested that the
> 'export' gpg protection differed from that of the keyring, so you
> cannot infer a problem with conventional use of the keyring.
>
> OK, so I have been doing a little experimentation. Using the KeePass
> KDF timing of AES-KDF, my 2011 12-thread processor i7-3930K CPU at 3.2
> GHz (CPUMark 8,247) performs a KDF of 23,400,000 AES-KDF rounds in
> 1.0~s (and time was proportional to the number of rounds). This is a
> highly serial process, so must be performed on a single thread. In
> principle, this processor could achieve (say) 12 X 23,400,000 =
> 280,800,000 AES-256 rounds in 1~s while brute-forcing 12 potential
> passwords. The 2021 i7-12700K (CPUMark 34,460: 4.2-fold faster),
> costing less than GBP 400, could in principle achieve one billion (one
> thousand million) AES-256 rounds per second --- and faster speeds
> would be available from multiple processors, GPUs, or ASIC-based
> devices.
>
> We now time the encryption of a 28 Byte or 565 kByte plaintext file,
> with various 'count' values via:
>
> time gpg2 -c --s2k-cipher-algo AES256 --s2k-digest-algo SHA256 \
> --s2k-count 2097152 cleartext_file
>
> with a short 11-character password. In practice, although we are
> timing an encryption, for high 'count' values the KDF process will
> dominate timing, and the known password details will be irrelevant. We
> present only User time, as System time is negligible:
>
> Some results are:
> For 28 Byte cleartext:
>
> Count User Time (s)
> 1024 0.237
> 131072 0.005
> 2097152 0.013
> 65011712 0.320
>
> For 565 kByte cleartext:
>
> Count User Time (s)
> 1024 0.245
> 131072 0.020
> 2097152 0.033
> 65011712 0.341
>
> We see the cleartext length is not greatly significant, especially at
> higher count values, but the User Time is nowhere near linear with
> count --- which one would expect. For a count of 65,011,712 rounds,
> the Time is around 0.33 seconds. On the same machine, 23,400,000
> AES-KDF rounds were completed in 1.0~s (with a linear relationship),
> implying that at the s2k maximum count of 65,011,712, the gpg code is
> a factor of (65,011,712 / 0.33) / (23,400,000 / 1.0) = 8.4 times
> faster than the KeePass code, with much smaller factors for lower
> count values. This all sounds highly inconsistent and suspicious ---
> and the lengthy timing for a count of 1024 is completely unexplained.
>
> It is difficult to avoid the suspicion that the s2k parameters are not
> doing what is stated in the info gpg. In particular, it is unclear
> whether the gpg KDF is protecting the master key as expected.
>
> This sounds like a bug. Can anyone explain what is happening?
>
> If a Yubikey is used to store the User passphrase for gpg, is it
> passed to the gpg code via secured memory which is overwritten before
> close-down?
>
> I am hoping someone will be able to help me on these points.
>
>
> Tony
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Seeking Assurance on Security and Memory Leaks in SuSE GnuPG [ In reply to ]

gnupg-users at gnupg

Aug 29, 2022, 6:17 AM

Post #3 of 5 (451 views)

Permalink

On Sat, 27 Aug 2022 16:17, Tony Lee said:

> Count User Time (s)
> 1024 0.237

For backward compatibility reasons with 1.4 the default count value is
used in this case. The default value is computed by gpg-agent and
depends on your machine (cf. gpg-agent's --s2k-calibration option). See
the first condition in the function below:

/* Pack an s2k iteration count into the form specified in RFC-4880.
* If we're in between valid values, round up. */
unsigned char
encode_s2k_iterations (int iterations)
{
unsigned char c=0;
unsigned char result;
unsigned int count;

if (iterations <= 1024)
return 0; /* Command line arg compatibility. */

if (iterations >= 65011712)
return 255;

/* Need count to be in the range 16-31 */
for (count=iterations>>6; count>=32; count>>=1)
c++;

result = (c<<4)|(count-16);

if (S2K_DECODE_COUNT(result) < iterations)
result++;

return result;
}

This mapped value is required by the RFC-4880. When passing an RFC-4800
encoded value to our KDF function, we decode it first.

> We see the cleartext length is not greatly significant, especially at
> higher count values, but the User Time is nowhere near linear with
> count --- which one would expect. For a count of 65,011,712 rounds,
> the Time is around 0.33 seconds. On the same machine, 23,400,000
> AES-KDF rounds were completed in 1.0~s (with a linear relationship),

You can't compare some AES-KDF to the SHA1 based KDF of OpenPGP. The
increase in speed you see is due to caching effects on modern CPUs and
the highly optimized SHA1 code in Libgcrypt. Something a cracker would
have also.

The default of GnuPG is to let the system take about 100ms for the S2K
to make brute forcing the password of the private key harder. Using any
non-full entropy password for symmetric encryption is a Bad Idea. With
a full entropy password the S2K iterations don't matter at all.

So either use a a full-entropy password or use public key encryption.

If an attacker got access to your private key (encrypted or
non-encrypted) your are anyway in tilt mode.

> If a Yubikey is used to store the User passphrase for gpg, is it

A Yubikey or any other smartcard does not store the password but stores
the private key and only allows operations with that private after
having unlocked the token. For this you use a PIN where the hardware of
the token allows only 3 to 10 false trees - thus a small number is
sufficient to avoid brute forcing.

Shalom-Salam,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Re: Seeking Assurance on Security and Memory Leaks in SuSE GnuPG [ In reply to ]

gnupg-users at gnupg

Aug 30, 2022, 9:41 AM

Post #4 of 5 (451 views)

Permalink

First: I am impressed, and honoured, to have had a fast response from
Werner.

I vaguely understand your explanation that the 1024 "Count" value was
interpreted for backward compatibility with 1.4. However, according to
the info gpg, I had followed their instructions in asking for some
specific algorithms and Count values, as:

time gpg2 -c --s2k-cipher-algo AES256 --s2k-digest-algo SHA256 \
--s2k-count Count_Value cleartext_file

... where info gpg notes for --s2k-count n : Specify how many times
the passphrases mangling for symmetric encryption is repeated. This
value may range between 1024 and 65011712 inclusive.

... which seems to imply very clearly that I wished to use AES256
together with SHA256, and that I had specified permissible Count
values. Furthermore, this was symmetric encryption (my recipients were
not keen on installing gpg properly!!), with (several) defined
Count_Values --- for my test purposes. Incidentally, the code complained
about names AES-256 and SHA-256, but not about the names used above.

Thus, I do not really understand why my instruction was ignored to
give "1.4 compatibility".

I am still rather in the dark concerning your code as my C does not
exist: I am more the Algol, Fortran, Pascal, and IDL type (I said I
was a long-time, if occasional, User of GnuPG). I hoped I was using
Count values of 1024, 131072, 2097152, 65011712 --- all of which are
legitimate, although I understand that some may be rounded up. If
you need to change the detailed format, what Count values do these
actually produce?

> You can't compare some AES-KDF to the SHA1 based KDF of OpenPGP. The
> increase in speed you see is due to caching effects on modern CPUs and
> the highly optimized SHA1 code in Libgcrypt. Something a cracker
> would have also.

OK, this is another surprise to me. I had imagined the KDF would be
based on an iterated AES cipher, rather than an iterated hash
function, and that if a hash function were used it would be the
requested SHA-256. Hash functions may be more typically used to test
the result of KDF processing, rather than forming the KDF itself. As
you know, both AES-128 and SHA-1 are generally deprecated functions.

In any case, I understand that the AES and SHA families are compact
serial functions that can (I assume) be evaluated within a modern CPU
chip using a single thread. I have been assuming that the "Counts"
relate to iterations within the KDF (as AES-128 and AES-256 have
standard "rounds" counts of 10 and 14), which seems to imply the KDF
processing effort (and thus timing) should be linearly related to the
number of Counts.

Perhaps it is, although my uncertainty of effective "Counts" makes
this unclear. For the maximum 65011712 Count, the difference between
28 Bytes and 565 kBytes was 0.02 s, which may relate to the decryption
process. At 2097152 Count, subtraction of 0.02 from the 565kByte
result produces the 28 Byte result; and for this "decryption
subtracted" result, the 31-fold increase from 2097152 to 65011712
Counts produces a 0.320/0.013 = 24.6-fold time increase --- which may
well be equality within the crudeness of this experiment. Trying to
compare smaller (and unknown effective) Counts may well give results
too crude for credibility.

> The default of GnuPG is to let the system take about 100ms for the S2K
> to make brute forcing the password of the private key harder. Using any
> non-full entropy password for symmetric encryption is a Bad Idea. With
> a full entropy password the S2K iterations don't matter at all.
>
> So either use a a full-entropy password or use public key encryption.

OK, my plan was to produce a KDF delay of 100--500ms or so, so in
practice we are in the same ball-park.

By "full entropy" I assume you mean an assessed entropy of 80--120
bits. Although in principle I agree, in practice it is very difficult
to produce such randomness: for example, a lengthy English phrase has
certain regularities that reduce entropy, and this is the basis of
modified brute-force techniques. Remember, we are talking symmetric
encryption here; if this is used for communication, we need to
communicate the passphrase by different means, eg by telephone. My
experience is that it is all too easy to mis-communicate high-entropy
passphrases, with subsequent hassle. I agree public-key encryption is
much better for communication, but I have difficulty persuading others
to install gpg properly! The use of a high-delay KDF reduces the
practical number of brute-force attempts, mitigating the need for
high-entropy passphrases to a small extent. Using a modern KDF such as
Argon2 (memory-hard as well as time-hard) would also mitigate the use
of specialised hardware brute-forcing.

Of course, all the above is detail concerning "data on the move". In
practice, I am also concerned about "data at rest", where a hacker may
be able to access my system --- either while I am using passphrases,
or where they are stored. Symmetric encryption is typically used
to encrypt local files, where it is much more practical to use complex
passphrases as they need to be stored but not communicated. However, I
have no oversight of what has been done within gpg to protect
passphrases locally.

In my earlier comment, I noted that KeePass gave a usefully
encouraging oversight of how areas of memory were secured from other
applications while KeePass is in use, giving a degree of protection
from malware etc. It may well be that such techniques are so
blindingly obviously necessary that there is little point in
explicitly describing them. My own perception is that a similar
oversight on gpg would provide much-needed reassurance to someone like
myself who is in no position to evaluate such information from the
open-source code --- I must leave it to others to support/criticize
any reported oversight. Thus, I reiterate my earlier query: Does such
security oversight exist for gpg, and where do I find it? If not, can
it please be produced. It may well be that the descriptions for
KeePass may well provide a template for gpg, provided it is modified
to reflect truth.

As an additional point, during processes where security-critical
keys/passphrases as passed from (say) KeyPass or Yubikey to gpg, or
gpg decrypts secured information to make it visible, what steps are
taken to secure these critical items against malevolent software, or
unwanted storage on disk which may be vulnerable to subsequent attack?

As I explained, any "Counsel of Perfection" on avoidance of malware is
ultimately somewhat unhelpful. I would hope the gpg software would
provide at least some assistance in this area.

Hoping you can help me here.

Tony

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Seeking Assurance on Security and Memory Leaks in SuSE GnuPG [ In reply to ]

bernhard at intevation

Sep 12, 2022, 2:43 AM

Post #5 of 5 (425 views)

Permalink

Am Dienstag 30 August 2022 18:41:19 schrieb Tony Lee via Gnupg-users:
> By "full entropy" I assume you mean an assessed entropy of 80--120
> bits. Although in principle I agree, in practice it is very difficult
> to produce such randomness

Generating passphrases from a large dictionary makes this feasable
E.g. https://wald.intevation.org/scm/browser.php?group_id=71&scm_plugin=scmhg
is a small tool I wrote a few years ago to understand this better,
calling it with the English dictionary from `trans`, I get

./ppgen.py -2
Reading entries from /usr/share/trans/de-en....................
Found 129207 dictionary entries.
|= Number of words |= possibilities |

| 4 | 2^67.9 |
| 5 | 2^84.9 |
| 6 | 2^101.9 |

So with 5 or six words, you easily have a passphrase in the desired range.
(There are other generators a well.)
In my experience, it is possible to memorize such passwords, by construction
a story around it. Of course it is some effort, but then again 3 or 4 words
maybe enough for your use-case and see next point:

> I agree public-key encryption is
> much better for communication, but I have difficulty persuading others
> to install gpg properly!

Given the overall advantages, what are the difficulties to convince
your peers to install GnuPG? (Or any other OpenPGP implementation.)

> My own perception is that a similar
> oversight on gpg would provide much-needed reassurance to someone like
> myself who is in no position to evaluate such information from the
> open-source code

More documentation naturally is helpful, but it is a lot of effort
to write and it must be kept in sync. Who tells you that the overview
documention still represents the technical implementation well?
A lot of things are changing by the months, not just the implementation,
but also the understanding of security properties (like attack capabilities).
But those have to be re-considered if the necessary summary judgement
of the overview shall be useful I think.
So I think this overview documentation you are asking for, would be less
useful than expected.

> what steps are
> taken to secure these critical items against malevolent software, or
> unwanted storage on disk which may be vulnerable to subsequent attack?

The first and most important step is to secure your operating system,
environment and storage according to your security needs.
The challenge here is that this is beyond GnuPG (or any other single
application) to control. Nor is it useful to try in many cases.

Take virtualisation as example, there is no way for GnuPG to know if
it is runsin a virtual computing environment where the memory can be
frozen into storage at any time. Same with safe deleting of files.

Putting the effort into following general secure computing practive
will help your GnuPG security more, usually.

Regards,
Bernhard

--
https://intevation.de/~bernhard ? +49 541 33 508 3-3
Intevation GmbH, Osnabr?ck, DE; Amtsgericht Osnabr?ck, HRB 18998
Gesch?ftsf?hrer Frank Koormann, Bernhard Reiter

Mailing List Archive

Attached Files:

Attached Files: