Simon Says – Musings of a Technology CTO

It was announced back in October 2008 that Bernd Roellgen of PMC Ciphers has “discovered” a possible exploit which can be used to reveal details of the encryption key used to protect hard disk image backups.  PMC used this information to promote the release of a new version of their software which is immune.

Some customers have asked me what I think about this, as it relates to McAfee products so I thought a blog would be a good place to start.

You can find the news article on Bernd’s discovery on TechWorld. Let’s start by summarizing what he’s talking about.

1. If you have a lot of bitmap images

2. And you make a number of backups of these bitmaps using the same encryption key to protect them in each case

3. And someone bad has two or more copies of these backups

4. And that someone knows that you have a predominantly white/black image encrypted with the same key, and knows how to find it in your backup

It would be possible for someone to obtain some information about the content of the bitmap.

You can see a great example of Bernd’s discovery on his company site – it relies on the fact that bitmaps are fairly structured and simple, and that there’s no compression or RLE (run-length encoding) used.  I’d give you the link but unfortunately the site has a few naughty words on the company contact page and I don’t want them ending up in my McAfee/Reconnex DLP index.

The short version of how this attack works is:

1. Take an encrypted image (a)

2. Multiply the encrypted image (a) with the encrypted version of a mostly white image (b)

What happens is that with your two pictures (a) and (b) , because the color/brightness etc of the pixel is encrypted using the same key in both cases, if you them multiply them together, you can reveal some information of picture (a). In Bernd’s example he’s effectively changing the contrast of the image.

Pretty cool so far, and surely this is bad news for McAfee products?

Well, not really because really it’s a long shot to see how this would really affect anyone – remember the conditions for this to work:

The hacker has to have a copy of the bitmap file, encrypted with the same key as a copy of a mostly white bitmap. What he gets out of this is a contrast enhanced bitmap image.

So, the worst case is someone’s going to be able to get a grainy representation of your bitmaps.

If you store your pictures as JPG files there’s no risk, as these files have compression built in, so the attack doesn’t work (there’s no bit-for-bit relationship between two files), also of course if you zip your bitmaps you are also secure. This attack ONLY works for uncompressed data, so anything else, Word Documents, Spreadsheets, TIFF’s, JPG’s, GIF’s etc, is immune from this kind of malarkey.

Finally, how does this apply to McAfee’s products? Well, of course Endpoint Encryption for PC’s (full disk encryption) is completely immune, as it’s sector IV based, not file based, so you’ll never get two files encrypted in exactly the same way. As for Endpoint Encryption for File/Folder, I guess it might be possible if indeed you were unlucky to have fulfilled all the requirements above (had multiple copies of the files available and used the same key in each case, and you happened to also include a mostly white image).

Expanding on the idea, it seems possible that the attack could leak data in the case of any structured, uncompressed, mostly similar data – I can’t see though that the actual key could ever be recovered, or that anything more than “plausible deniability” would be affected – I’m happy to be corrected by any crypto heads though. I can see that it would be possible to infer some relationship between the images if you were for example comparing multiple backups. You could argue that the leaked contrast-enhanced information from backup (a) matched that of backup (b), so if you were trying to deny that a seized laptop and a CD found at a crime scene were related, you could be in a sticky position.

Don’t store sensitive pictures as bitmaps I guess is my advice.

I’d call this a variant of the classic “known plaintext attack” – Something which is generally considered impractical using the algorithms in our products, anyone disagree?

Simon.