[Cryptography] Vulnerability found in badly broken email apps that use PGP and S/MIME
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu May 17 01:35:59 EDT 2018
Stephan Neuhaus <stephan.neuhaus at zhaw.ch> writes:
>In thinking about this a bit more, I came to realise that this situation is
>the exactly same situation that occurs when using some of the shiny new
>AEAD ciphers such as GCM that have been mandated by TLS 1.3: the AEAD
>cipher will give you plaintext and only at the end do you realise that the
>authentication check has failed.
This is a real problem, and something I tried to address in RFC 6476:
https://tools.ietf.org/html/rfc6476#section-6
The encrypt-then-MAC is already to some extent a problem because you can
ignore the MAC failure and decrypt anyway, but for a combined mode you
don't have any choice, you have to decrypt in order to perform the MAC
operation, and once the plaintext is sitting there it's very hard not to
act on it, with the MAC failure relegated to a token warning popup.
Peter.
More information about the cryptography
mailing list