RTS CryptoBuddy Multiple Encryption Implementation Vulnerabilities Feb 10 2003 02:14AM
Mike (at) www.securityfocus (dot) com [email concealed], W (at) www.securityfocus (dot) com [email concealed],CISSP (mwcissp yahoo com)


Hash: SHA1

RTS CryptoBuddy Multiple Encryption Implementation Vulnerabilities


Advisory Information


Severity: High Risk

Vendor: Research Triangle Software, Inc.

Homepage: http://www.rtsz.com/

Advisory reported to vendor: February 2, 2003

Author: Michael Whitehead, CISSP

Author Contact: mwcissp (at) yahoo (dot) com [email concealed]


Vulnerability Summary


The software has multiple vulnerabilities related to the implementation of

its passphrase and general encryption techniques. The easiest to exploit

is through use of a symmetric key injection attack. An attacker can use

the software to encrypt a dummy file with a passphrase of his or her

choosing. The resulting secret key can then be inserted into any other

file that has been encrypted with the software. The resulting file may

then be decrypted using the software and the attacker's previously

selected passphrase. Details of this and other vulnerabilities can be

found at the end of this advisory.




There is no recommended solution at this time. The vendor was very

responsive to this advisory and provided additional information to further

develop this advisory. Vendor has indicated that the issues identified in

this advisory will be mitigated in the next version of the software.


Product Description


This shareware product would be generally classified as a "security &

encryption" file utility.

A description provided on one of the many shareware sites:

"CryptoBuddy(TM) (www.cryptobuddy.com) is an easy-to-use encryption

program that allows individuals and corporations to effectively protect

and encrypt their files and data. As the Internet increasingly becomes an

unsafe medium for transporting confidential information, CryptoBuddy

enables you to take any file and quickly encrypt and compress it."


Affected Versions


CryptoBuddy 1.2 and earlier versions.

O/S Notes: software is only available for Windows (Win95/98/ME/NT/2000/XP)




The use of this software should be determined relative to the risk.


Advisory Detail



The software is intended to "effectively protect and encrypt" files. As

such, it DOES encrypt files. The EFFECTIVENESS of the method used is key

to this advisory. Since this product's primary purpose is to be used as

a data encryption system, it is imperative that users of the software are

fully aware of limitations in its effectiveness at protecting their data.


Item 1:

Vulnerability-- Predictable File Schema; Secret key stored, not used to

encrypt data

Threat-- Unknown secret key can be replaced with known secret key

Exposure-- Attacker can decrypt any encrypted file created by any

user of this program

Attack-- "Symmetric key injection" (see Note below).

Tools-- hex editor, CryptoBuddy; exploit could be easily scripted

Severity -- High

Note-- I am using the term "Symmetric key injection attack" as I was

unable to find another term for this technique.

Description-- A passphrase provided by the user is simply encrypted and

stored with the resulting ciphertext and is not actually used to encrypt

the plaintext. It is stored in a predictable location (fixed-length,

reserved block) in the resulting ciphertext file (offset 120:15A). Since

the key is not used to encrypt the plaintext, the attacker can simply

encrypt an empty file, copy block 120:15A from the resulting encrypted

file, and replace the same block in ANY target file. The target file can

then be simply decrypted using the attacker's passphrase (and the

CryptoBuddy software). Payload ciphertext is always appended to the end

of the passphrase block (at offset 15C, after a spacer byte (0x00) at

offset 15B). This exploit works because the key is not used to encrypt

the plaintext.

Additional note- this exploit could be easily scripted.


Item 2:

Vulnerability-- Encrypted passphrase has some predictability, weakly

encrypted, not hashed, and unseeded/unsalted

Attack-- Dictionary attack via predictable keys

Attack-- Segmented brute forcing (like the LANMAN attacks)

Severity-- High

Description-- Obviously, these attacks are not preferred methods, as

Item #1 is easy to employ. Note: I did not analyze the encryption

algorithm (no debugging/reverse engineering); however, since the software

develops a predictable/known key for each passphrase, a dictionary could

be easily developed.

Additionally, there appears to be a weakness in the passphrase algorithm,

in that the passphrase is broken into 4-byte segments; thus making

dictionary and brute force attacks substantially easier (by decreasing

the work factor).

Some examples:

[Plaintext Passphrase; (ASCII)] -> (Ciphertext Key (hex))


1234 -> 44F9FA2A174A3F8E 2A7D2C59DA0D6A3B

++++++++++++++++ ****************

12345 -> 44F9FA2A174A3F8E 2437EE3219DED143


5678 -> 743575164122BA96 2A7D2C59DA0D6A3B


analysis: + = 1st 4 bytes are split, not hashed with entire passphrase;

* = predictability related to passphrase length


12345678 -> 44F9FA2A174A3F8E 6CB1A73BD2C69BA8

1234567812345678 -> 44F9FA2A174A3F8E E75E0CE089B45E02


123456781234567812345678 -> 44F9FA2A174A3F8E E75E0CE089B45E02

E75E0CE089B45E02 6CB1A73BD2C69BA8

12345678123456781234567812345678 -> 44F9FA2A174A3F8E E75E0CE089B45E02

E75E0CE089B45E02 E75E0CE089B45E02


analysis: larger keys are highly repetitive and predictable


Item 3:

Vulnerability-- Passphrase key is truncated after the 55th byte of the


Threat-- Long passwords (>55 bytes) provide no more entropy

(strength) than the first 53 bytes (see Item 4, for

explanation of why this isn't the "first 55 bytes")

Severity-- Medium

Note-- Items 3 and 4 are listed as "medium severity" ONLY because users

are less likely to use passphrases longer than 53 bytes.

Description-- A passphrase of >55 bytes is truncated, prior to being

encrypted and stored as the key. This weakens the perceived strength of

passphrases longer than 55 bytes. Additionally, this indicates that the

passphrase is not hashed (or not well-hashed).


Item 4:

Vulnerability-- Bytes 53 through 55 of a 55-byte or longer passphrase are

stored in plaintext

Threat-- Exposure of elements of the passphrase

Severity-- Medium

Description-- Self-explanatory

** end of advisory **


Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>





[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus