[Cryptography] [openpgp] OpenPGP SEIP downgrade attack

Werner Koch wk at gnupg.org
Mon Oct 5 14:13:15 EDT 2015

On Mon,  5 Oct 2015 16:07, jonas.magazinius at assured.se said:

> predictable message structure, it is possible to switch the SEIP tag to
> SE, strip the MDC (and signature), and align and manipulate the

> protection has been questioned now and then over the years [1,2], but
> it's been maintained that it is secure against this kind of attack [3].

Well, I assumed that this is the case (my "Yes") but in the next mail
Trevor explained that this is not true.  More important however is my
remark that we need to get MDC deployed so that we can issue an error
for non MDC packets instead of just a warning.

AFAIK, there are still implementations not supporting MDC and a small
number of folks loudly complaining when I removed PGP-2 support.

> A large part of the problem here is due to CFB mode, but it seems we're
> stuck with that. It would make sense to use a different mode, but again
> I understand the legacy issues.

One of the goals of 4880bis is:

  - A symmetric encryption mechanism that offers modern message
    integrity protection (AEAD)



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the cryptography mailing list