From af44cc65caf87193abb5bea49aa0f61924e69fcb Mon Sep 17 00:00:00 2001 From: Heiko Schaefer Date: Sat, 2 Dec 2023 19:22:38 +0100 Subject: [PATCH] clarify KO attack details and mitigation --- book/source/05-private.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/book/source/05-private.md b/book/source/05-private.md index 433d4fa..210eb37 100644 --- a/book/source/05-private.md +++ b/book/source/05-private.md @@ -233,12 +233,20 @@ write ### Understanding key overwriting (KO) attacks -OpenPGP is subject to specific vulnerabilities known as key overwriting (KO) attacks. These attacks exploit weaknesses in how encrypted private keys or their metadata are handled, potentially leading to the leakage of secret data when a key is used. The core issue lies in OpenPGP's handling of Secret-Key packets, where corruption of the public, non-encrypted fields of these packets can cause the correct private key material to be used with corrupted public key parameters. This mismatch can result in private key leakage. +#### What they are -Importantly, KO attacks are particularly relevant when an attacker is responsible for storing a user's encrypted private key material. The attack involves providing the user with a corrupted version of their own encrypted (passphrase-protected) key material, thereby compromising the key's integrity. +OpenPGP is subject to specific vulnerabilities known as key overwriting (KO) attacks. These attacks exploit weaknesses in how encrypted private keys or their metadata are handled, potentially leading to the leakage of secret data when the key is used. The core issue lies in OpenPGP's handling of Secret-Key packets, where corruption of the non-encrypted fields can cause the unaltered private key material to be used with altered parameters. This mismatch can result in private key leakage. -Understanding KO attacks is crucial due to their potential to compromise the integrity and confidentiality of encrypted communications. KO attacks highlight the necessity for robust key validation procedures and the dangers of storing keys in insecure environments. As OpenPGP application developers, you should be aware of these risks to ensure the secure management of keys and to implement appropriate countermeasures. +Importantly, KO attacks are particularly relevant when an attacker is responsible for storing a user's encrypted private key. By altering the algorithm field in the Secret-Key packet, the attacker may cause the user to perform a cryptographic operation with a different algorithm. E.g., performing a DSA operation with ECC private key material. By observing the output of that attacker-corrupted operation, the attacker can recover the user's unencrypted private key material, even though the attacker had no direct access to it. -It's noteworthy that OpenPGP version 6 keys are not vulnerable to KO attacks when using S2K usage mode 253 (Argon2 + AEAD). This mode ensures the integrity of the public key by incorporating it into the encryption routine as additional data for verification. +#### Mitigation + +Understanding KO attacks is crucial due to their potential to compromise the integrity and confidentiality of encrypted communications, and the risk of complete private key material compromise. KO attacks highlight the necessity for robust key validation procedures and the dangers of storing keys in insecure environments. OpenPGP application developers should consider if this attack class is a concern in their applications. + +Private keys that are protected with [S2K usage mode 253 (AEAD)](https://www.ietf.org/archive/id/draft-ietf-openpgp-crypto-refresh-10.html#name-secret-key-encryption), are not vulnerable to KO attacks. This mode ensures the integrity of the private key by using its unencrypted fields (including the algorithm field) as the *authentication tag* for integrity verification in the decryption process. When an attacker alters the unencrypted part of the packet, then decryption of the private key material will fail, and the user is prevented from e.g. accidentally using the key material with an altered attacker-controlled algorithm. + +Note that while S2K usage mode 253 (AEAD) has been introduced in the OpenPGP version 6 specification, it can also be applied to OpenPGP version 4 key material (also see {ref}`s2k_best_practice`). + +#### Resources For comprehensive information on KO attacks, including background, attack vectors, countermeasures, and technical analyses, visit [KOpenPGP.com](https://www.kopenpgp.com/). It is based on the paper "Victory by KO: Attacking OpenPGP Using Key Overwriting" written by Lara Bruseghini, Daniel Huigens, and Kenneth G. Paterson for the Proceedings of ACM Conference on Computer and Communications Security, Los Angeles, November 2022. \ No newline at end of file