International Conference on Materials Engineering and Information Technology Applications (MEITA 2015)The Research on PGP Virtual Disk Password CrackingQingbing Jia, Lijun Zhang, Fei YuScience and Technology on Communication Security Laboratory, Chengdu, 610041, Chinaaemail: [email protected]: PGP; virtual disk; password crackingAbstract. PGP virtual disk encryption technology is a double-edged sword, on the one hand it ishelpful to prevent the user’s sensitive information on the disk from being stolen or tampered. On theother hand, some criminals take advantage of PGP virtual disk encryption to engage in illegalactivities. This paper proposes an effective method to crack password of PGP virtual disk, whichprovides the feasibility for the judicial investigation, counter-terrorism and prevention of criminalactivity.IntroductionPersonal desktop and notebook computers are becoming more and more popular since the 1980swhich induces a lot of important data are stored on hard disk. But people soon find such aphenomenon that is a great many sensitive data are leaked because of the disk loss or computerstolen which involves important secret information. This is a particularly bothersome problem forrelevant government agencies, enterprises and individuals. According to the result of a survey bythe USA Computer Security Institute, the loss of laptop and hard disk has become thesecond-largest security issue besides the computer virus infection[1]. In recent years, more peoplerealize the importance of disk data protection from the series of hard disk and laptop thievery.Therefore, many computer manufacturers and information security organizations focus on theresearch of data protection under the circumstance of laptop and hard disk lost.In order to prevent the laptop being stolen, manufacturers have come up with various ways suchas providing computer box similar to ordinary suitcase, inventing the alarm system, designing dataencryption program to avoid unauthorized users to understand the content of the computer, etc.Moreover, Laptops even introduced fingerprint security identification system and the user only needto press the fingerprint on the inductive area, then the fingerprint information will be recorded.Later, this system will require the user to provide fingerprint for identification and only thefingerprint is matched, the operating system can enter. But all these strategies have a fatal weakness:once the thieves take out the hard disk from computer by brute force, they can immediately accessthe valuable data in the hard disk which may cause the leakage of confidential information.In view of the above methods, many computer manufacturers and information securitycompanies adopt software encryption to protect the hard disk data. All the data on the hard drive isprotected by using this hard disk encryption technology which greatly reduces the risk ofconfidential data leakage. Disk encryption technology enables the data storage on the disk in theform of ciphertext while operating system can access and use these data in the way of real-timedecryption. This technology can effectively solve the problem of data confidentiality in the case ofcomputer stolen or lost.Pretty Good Privacy (PGP) software is confirmed as a secure and reliable encryption softwareafter enduring a large amount of safety testing and verification since it is announced. Utill now, noback door has been found in this software [2]. PGP Desktop encryption software contains all thefunctionality of PGP encryption technology and integrates the PGP disk encryption tools whichprovides much convenience for the security of personal data storage.There are many versions of PGP currently and the final free available version is PGP 10.0.2[3].Due to the effect of purchase by Symantec Corporation, PGP is no longer released separately as astand-alone installation package after version 10.0.2 but exists in the form of integrated plug-ins 2015. The authors - Published by Atlantis Press359

contained in other commercial security products of Symantec Norton company [4]. Hence, themajority of Internet users employ PGP 10.0.2.Encryption protection is a double-edged sword. On the one hand, it conveniently prevents theprivate information to be leaked. However, the encryption mode also provides an opportunity forsome criminals to engage in illegal activities, which induces that it is more difficult to implementinvestigation and evidence collection for those criminal activities of property infringement, corrupttransaction and even worse cases of affecting market economic order, national security and socialstability.So, the research on recovery of PGP encrypted virtual disk is greatly significant to prevent andinvestigate behaviors of leaking national secrets, terrorism and other criminal activities.The Working Principles of PGP Encrypted Virtual DiskPGP virtual disk is on the level of disk encryption, it can exploit a part of disk space to storesensitive data and this exclusive space is used to create a PGP disk encryption volume (.PGD files).The encryption volume can provide sufficient operations including files storage and applicationprogram running and so on, although the encrypted volume looks like a separate file.When a PGP disk encryption volume is mounted, we can use the disk location of PGP Diskencryption volume specified as a normal disk. For example, a user can install software in thisvolume or move and save confidential documents to this volume. When we do not use theencrypted volume, it can be unmounted immediately. However, the differece between PGP diskencryption volume and other mounted disk is that it provides the passphrase to control the mount ofvirtual disk, one will not be able to access to it unless he knows the correct password.When creating a new PGP disk encryption volume, system will require the user to select the filestorage location, volume size, disk drive name and password of protecting this virtual volume. APGD file is generated after volume creation. The mounted virtual disk will be protected by thepassword and it is encrypted in the state of unmounted. PGD files can also perform operations ofdeleting, copying or moving. Generally, PGP disk encryption volume exists in the form of apartition, but also can be used as a directory on NTFS partitions.Disk leEncryptEncryptPassphraseKeyEncrypt*.pgd FileFig. 1.The implementation of PGP disk encryption based on passwordThe specific procedure of creating encrypted volume and function implementation is as follows:(1) generate a new session key, every session key is unique corresponding to every encryptionoperation. A new session key data and salt is created from the random data and used for symmetrickey encryption algorithm. Concretely, function entrance named "GenerateNewKeyAndSalt" callsfunction "GetRandomBytes" to generate key data "KeyData", salt "Salt" and random number ofmalicious tampered data "MungeData". Function "GenerateNewSymmetricKey" makes use of theabove data to generate a new key of a symmetric key algorithm according to the differentalgorithms where PGP Disk supports symmetric algorithms including AES-256, CAST5-128,360

Twofish-128.(2) user enters the password and this password is directly used as key of a symmetric encryptionalgorithm to encrypt random generated session key. After the user input password, system callsfunction entrance "EncryptPassphraseKey" to complete processing of password and session keyencryption. Function "HashSaltSchedulePassphrase" adds salt value and hashes the password toprotect the security of the password, then calls function Encrypt to encrypt the session key withencrypted password and calculate the checksum value of password used for decryption verification,where algorithm include AES-256, CAST-128, Twofish-256.(3) Function "EncryptNewPGPdiskFile" uses the session key as the key of symmetriccryptographic algorithm to encrypt disk files. First, it will calculate the disk size that is required toencrypt, then encrypt the disk by using the chosen encryption algorithm in CFB operation mode andfinally generate PGD file. The optional algorithms are AES-256, CAST-128, Twofish-128. Theimplementation of PGP encryption is described in Figure 1.The Creation and Mount of PGP Disk VolumeA. The Creation of PGP Disk VolumeThe creation process of PGP virtual disk volume is as follows.(1)First, open the PGP desktop software and click the new virtual disk PGP disk options to startcreation as in Figure 2 (a) and (b).(a) The option for creation of PGP virtual disk (b) The parameters for creation of PGP virtual disk(c)Set the password for virtual disk volume(d) The successful creation of virtual disk volumeFig. 2.The Creation of PGP Disk Volume(2)Change the attribute of virtual disk according to the requirement and click "New PassPhraseUser " button to add user and passphrase. Then input user's password as shown in Figure 2 (c).(3)After click OK button, the virtual disk encryption volume will be created successfully asshown in Figure 2 (d).361

B. The Mount of PGP Disk VolumeThe mount process of PGP virtual disk volume is as follows.(1)Open the PGP desktop software, click on "open" option in the "file" menu.(2)Double-click the selected virtual disk encryption volume file, then click "mount" button andinput password and confirm as shown in Figures 3 (a) and (b).(a) Select the PGP virtual disk volume to mount(b)Enter the correct password of disk volumeFig. 3.The Mount of PGP Disk VolumeIf the mount is successful, then there will be a disk partition named "New PGP Disk1 (H:)" inhard disk of "my computer".The Cracking of PGP Encrypted Virtual DiskAccording to the encryption principle of PGP virtual disk in Figure 1 and reverse engineeringtechnology[5], we are able to crack the virtual disk encryption. Now we give the main process ofcracking.Step 1. Acquire the algorithm identification "PGPpgdEn -Algorithm", random number"PGPpgdSALT", checksum value "PGApgdCheckData" and hash iteration times "PGPpgdHash-Reps" from the virtual disk encryption file. Go to step 2.Step 2. Calculate the hash value "HashedPassphrase" of password by SHA-1 algorithm. Go tostep 3.Step 3. Generate the hash value "Key" by using SHA-1 algorithm to deal "PGPpgdSALT" and"HashedPassphrase" with times " PGPpgdHashReps". Go to step 4.Step 4. If PGPpgdEnAlgorithm 3 then go to step 6; otherwise use SHA1 algorithm to get thehash value " HashedPassphrase" of "Key PassPhrase" and go to step 5.Step 5. Generate the hash value "HashValue" by using SHA-1 algorithm to deal "PGPpgdSALT"and "Hashed-Passphrase" with times " PGPpgdHashReps", then combine some bytes of"HashValue" and "Key" to form a new value "Key". Go to step 6.Step 6. Calculate the ciphertext value "CheckData" of "Key" by the encrytion algorithmcorresponding to "PGPpgd-EnAlgorithm", and go to step 7.Step 7. If the value "CheckData" and "PGApgdCheckData" matches, then output this correctpassword, otherwise go to step (2).The whole cracking process is described in Figure 4.362

Vitual disk volume file*.pgdPasswordAcquire values ofPGPpgdEnAlgorithm、PGPpgdSALT、PGApgdCheck and PGPpgdHashRepsHashedPassphrase ashRepsPGPpgdEnAlgorithmPGPpgdEnAlgorithm 3Generate the hash value "Key" by using SHA-1algorithm to deal "PGPpgdSALT" and"HashedPassphrase" with times " PGPpgdHashReps"PGPpgdEnAlgorithm 3KeyTry againUse SHA1 algorithm to get the hash value "HashedPassphrase" of "Key PassPhrase"HashedPassphraseKeyPGPpgdSALTGenerate the hash value "HashValue",then combine some bytes of"HashValue" and "Key" to form a newvalue "Key"PGPpgdHashRepsPGApgdCheckDataCalculate the ciphertext value"CheckData" of "Key" by the encrytionalgorithm corresponding to"PGPpgdEnAlgorithm"CheckDataCheck value "CheckData"and "PGApgdCheckData"match or notNOYESOutput passwordFig. 4.The cracking process of PGP disk volumeConclusionThis paper proposed a method of cracking PGP encrypted virtual disk volume and the effect ofcracking will be better if combining with the dictionary cracking technology based on socialengineering. This cracking method is of great significance for the prevention and investigation ofleaking national secret, terrorism and other criminal activities.References[1]LIU Jing jing , YI Qing song, DAI Zi bin, Application of Hard Disk Encryption System inInformation Security, Modern Electronic Technology, 2007, 256(17) : 101- 104.[2]Philip R Zimmermann. No Back Doors. [2010-04-06]. http://www.philzimmer mann.com363

/EN/back ground/index.html.[3]PGP Corporation Home .com/business/theme.jsp?themeid pgp.[5]Deng Huijie, PGP Cracking Research and Implementation against Passphrase, thesis, ShanghaiJiaotong University, 2011.364

The encryption volume can provide sufficient operations including files storage and application program running and so on, although the encrypted volume looks like a separate file. When a PGP disk encryption volume is mounted, we can use the disk location of PGP Disk