[Cryptography] [openpgp] OpenPGP SEIP downgrade attack
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Mon Oct 5 21:49:40 EDT 2015
Jonas Magazinius <jonas.magazinius at assured.se> writes:
>I've recently been analysing the OpenPGP standard and have found that it
>is vulnerable to a chosen-ciphertext attack to downgrade an SEIP packet
>to a plain SE packet.
Nice work!
>Part of the reason SEIP and MDC was introduced ~15 years ago was to deal
>with exactly this problem.
It's always been a quick hack though. I didn't implement MDC for a long
time because I was waiting for it to be done properly (encrypt-then-MAC),
but eventually I decided that a hack was better than nothing at all. It's
really not hard to do properly, just take what CMS / S/MIME did and convert
the bit-bagging to PGP format [0]. Encrypting a non-keyed hash in CFB mode
of all things is just asking for trouble.
>Different implementations handle SE packets differently.
Is the SEIP -> SE rewrite completely transparent, or are there implementation
quirks/peculiarities that make it work in some cases and not others? It'd
be interesting to have a sample of a SEIP message with its SE rewrite to look
at.
Peter.
[0] It specifically protects against strip-the-MAC/rewrite-the-message
attacks, but if you *can* find an attack I'd be interested in hearing
about it.
More information about the cryptography
mailing list