[Cryptography] Vulnerability found in badly broken email apps that use PGP and S/MIME
Stephan Neuhaus
stephan.neuhaus at zhaw.ch
Wed May 16 08:43:11 EDT 2018
On 2018-05-15 03:08, Peter Gutmann wrote:
> Mind you, a mailer broken enough to auto-fetch images/auto-render HTML content
> will also implement authenticated encryption as "Message tampering detected,
> continue anyway?", default = Yes.
In a slightly similar vein, I'm now seeing people on Twitter slamming
GnuPG for either not using authenticated encryption (AE) or not failing
hard when the authentication check fails. Such people will also
generally point out that PGP is very old, as if that had anything to do
with its security, or lack thereof.
If I understand correctly, GnuPG does on the one hand use a sort of AE,
but does on the other hand indeed not fail hard when the authentication
check fails, but at least on the third hand issues an error message,
which, however, the email client then proceeds to ignore.
In thinking about this a bit more, I came to realise that this situation
is the exactly same situation that occurs when using some of the shiny
new AEAD ciphers such as GCM that have been mandated by TLS 1.3: the
AEAD cipher will give you plaintext and only at the end do you realise
that the authentication check has failed.
People say that AEAD does encrypt-then-MAC, on the grounds that the
authentication token is computed on the ciphertext, not the plaintext.
But if my analysis above is correct, then the caller of an AEAD API gets
to decrypt (and therefore potentially act on) a message before its
authenticity could be ascertained, which was exactly what
encrypt-then-MAC was supposed to prevent, wasn't it?
If all that is true, I predict that we will see a number of Efail-like
problems with AEAD ciphers.
Fun,
Stephan
More information about the cryptography
mailing list