PeopleSoft (Oracle) PSCipher Encryption Weakness

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PeopleSoft (Oracle) PSCipher Encryption Weakness
From: info@xxxxxxxxxxxx
Date: 4 Feb 2006 02:36:23 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Vendor:                 PeopleSoft
Product:                People Tools
Version:                8.4x
Platform:               Multi-platform
Title:                  Weak Encryption
                


Description:            

PeopleSoft uses PSCipher() for encryption/hashing purposes.  Based on 
observations from the output of PSCipher() and on our familiarity with the 
cryptographic library objects and methods used in the JCA/JCE, we were able to 
surmise PSCipher() uses the password-based encryption algorithm as defined in 
RSA Laboratories, "PKCS #5: Password-Based Encryption Standard," version 1.5, 
Nov 1993. 

In addition, based on PSCipher() output, the DES key used by PSCipher() is a 
fixed string, probably stored in a number of system directories. Knowledge of 
this key would greatly benefit password dictionary attacks against PSCipher() 
encrypted passwords.  A fairly knowledgeable attacker could easily determine 
what this fixed key is.

Based on the length of a password the algorithm pads and then outputs 8 byte 
values, using cipher block chaining mode for 8 byte blocks, output using base64 
encoding. Consequently, passwords patterns of the following are readily 
observed:
                        
PSCipher(x1x2x3x4x5x6x7x8) = C1
PSCipher(x1x2x3x4x5x6x7x8y1?.yi) = C1C  // block C varying up to i=8
PSCipher(x1x2x3x4x5x6x7x8y1?.y8z1?.zi) = C1C2C  //block C varying up to i=8

For example, 
PSCipher(12345678) = VsQZcQDrTFJg93xDQKeGJA==  
PSCipher (123456789) = VsQZcQDrTFLZN5WgnZfo1w==
                        
Note: Here VsQZcQDrTF corresponds to the 8 bytes ?12345678? encrypted with 
base64 encoding performed after cipher out. Also note that, as is seen in this 
example, the algorithm used by PSCipher() outputs encrypted text in 8 bytes 
streams. If a user chooses a 9 character password, the first 8 bytes of this 
will be the same for this password and an 8 character password using the same 
first 8 characters. Hence, a dictionary attack for a 9 character password can 
be done using the first 8
characters plus any additional characters.

In effect, increasing password length does not give an exponential increase in 
password strength, significantly aiding a dictionary attack against passwords.  
For example, suppose for simplicity only 10 characters are used for password 
composition. Compare a full 9 character password exhaust of 109     with a 108 
+ 10 exhaust.



Vendor Solution: (Provided by Oracle)
        
In Enterprise PeopleTools 8.47 and above, PeopleTools provides Triple DES 
encryption (i.e 3DES) for increased data security. The PSCipher Utility has 
been enhanced to provide a command line utility to encrypt a variety of text 
values stored in various configuration files throughout your system. In 
addition, the PSCipher includes the following features:

? Dynamic Key generation: The ability to generate unique encryption keys.
? Version maintenance: The key file maintains a version history of all previous 
versions of the keys, which enables text previously encrypted to be encrypted 
or decrypted.


Important additional information:

It is important to provide proper scope to the usage of PSCipher.  PeopleSoft 
does NOT use PSCipher for the following encryption purposes:
- PSCipher is NOT used for the encryption of ANY application data
- PSCipher is NOT used for the encryption of ANY data stored in the PeopleSoft 
DB.
- ALL user passwords stored in the DB are hashed using the SHA-1 Secure Hash 
Algorithm

In the instances where PSCipher is used within the PeopleSoft environtment, 
adherence to Security Best Practices would ensure that those IDs protected with 
PSCipher encryption would have minimal access to the system (additional access 
would be unnecessary and not recommended).  Additionally, and also in 
accordance to best practices, these passwords should only be persisted in 
secured areas of the system.  

PScipher is NOT a general purpose routine.  The decryption routine is NOT made 
available.  Therefore customers should not be using this routine for their own 
use to 'protect' other kinds of data. 

PeopleSoft routinely reviews the overall security posture of its products, and 
we provide robust processes and communication channels for our customers and 
3rd party organizations to provide feedback and information about possible 
security weaknesses.  These matters are given the highest level of attention 
and analysis and PeopleSoft endeavors to provide resolutions and fixes at the 
earliest possible time.

Vendor Trail:           

December 04 PeopleSoft contacted
December 04 PeopleSoft confirms
October  05 PeopleSoft provides solution
Febuary 06 Release


Contributers:           

Dr. Larry Wargo
Barrett McGuire
Matt Fotter


In-depth analysis is available at http://www.i-assure.com

Prev by Date: [xfocus-SD-060206]BCB compiler incorrect deal sizeof operator vulnerability
Next by Date: Re: [KDE Security Advisory] kpdf/xpdf heap based buffer overflow
Previous by thread: Re: [xfocus-SD-060206]BCB compiler incorrect deal sizeof operator vulnerability
Next by thread: SECURITY.NNOV: The Bat! 2.x message headers spoofing
Index(es):
- Date
- Thread