[Cryptography] Attacks on PGP (and allegedly S/MIME)

Jerry Leichter leichter at lrw.com
Wed May 16 12:01:02 EDT 2018 

> https://efail.de/ <https://efail.de/>
> 
> Rather more interesting is the gadget attack. I think this is further support for my approach of using a key derivation function to obtain the encryption, authentication keys and IV from the session key.
If you look at this more closely, there's a fundamental violation of basic cryptographic principles involved here.  Think of the old red (unencrypted "secret" world)/black (encrypted "sanitized" world) distinction.  It was in the past often implemented as actual physical separation:  "Red" material could only be accessed within a secure, isolated facility.  All that could flow in and out of that facility was "black" material.

In these attacks, we take black material (the encrypted messages); send them into the secure facility (the PGP or S/MIME implementation); convert it to red material (the decrypted messages); *and then allow arbitrary red-material dependent messages to be sent out of the the secure facility to the outside world*.  This relies on the "exfiltration mechanisms" that the paper refers to - and getting a URL followed is just one such mechanism - they identify others.

If the "secure facility" were properly isolated, the attacks couldn't work.

There's another, broader issue involved here as well:  Improper design and implementation of the underlying protocols.  A least some of the attacks depend on the fact that we have multiple interacting message syntaxes - MIME encapsulation of different message parts; PGP marking of message boundaries; HTML bracketing - which are not appropriately parsed.  It makes no logical sense for an HTML element to cross over two MIME message parts, but the two layers are handled independently and nothing enforces proper syntax.  It's all very reminiscent of the many attacks on protocols that use length prefixes but don't check, for example, that an inner length isn't larger then the remaining length of the next out element.

The individual layers here have reasonably well-defined syntactic structures (well, HTML is always problematic - but at least at the level of individual elements, it's pretty simple); but they aren't so much combined as all thrown into a blender, with the hope that something sane emerges.  Well, surprise surprise, it doesn't.
                                                        -- Jerry


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180516/cbd01f9a/attachment.html>

More information about the cryptography mailing list