[Cryptography] Vulnerability found in badly broken email apps that use PGP and S/MIME

Stephan Neuhaus stephan.neuhaus at zhaw.ch
Wed May 16 08:43:11 EDT 2018


On 2018-05-15 03:08, Peter Gutmann wrote:
> Mind you, a mailer broken enough to auto-fetch images/auto-render HTML content
> will also implement authenticated encryption as "Message tampering detected,
> continue anyway?", default = Yes.

In a slightly similar vein, I'm now seeing people on Twitter slamming 
GnuPG for either not using authenticated encryption (AE) or not failing 
hard when the authentication check fails. Such people will also 
generally point out that PGP is very old, as if that had anything to do 
with its security, or lack thereof.

If I understand correctly, GnuPG does on the one hand use a sort of AE, 
but does on the other hand indeed not fail hard when the authentication 
check fails, but at least on the third hand issues an error message, 
which, however, the email client then proceeds to ignore.

In thinking about this a bit more, I came to realise that this situation 
is the exactly same situation that occurs when using some of the shiny 
new AEAD ciphers such as GCM that have been mandated by TLS 1.3: the 
AEAD cipher will give you plaintext and only at the end do you realise 
that the authentication check has failed.

People say that AEAD does encrypt-then-MAC, on the grounds that the 
authentication token is computed on the ciphertext, not the plaintext. 
But if my analysis above is correct, then the caller of an AEAD API gets 
to decrypt (and therefore potentially act on) a message before its 
authenticity could be ascertained, which was exactly what 
encrypt-then-MAC was supposed to prevent, wasn't it?

If all that is true, I predict that we will see a number of Efail-like 
problems with AEAD ciphers.

Fun,

Stephan


More information about the cryptography mailing list