[Cryptography] Vulnerability found in badly broken email apps that use PGP and S/MIME
Werner Koch
wk at gnupg.org
Thu May 17 15:33:15 EDT 2018
On Wed, 16 May 2018 14:43, stephan.neuhaus at zhaw.ch said:
> If I understand correctly, GnuPG does on the one hand use a sort of
> AE, but does on the other hand indeed not fail hard when the
> authentication check fails, but at least on the third hand issues an
> error message, which, however, the email client then proceeds to
> ignore.
Not quite. The MDC (Modification detection code) is used by default for
15 years or so. If the MDC indicates tapering gpg prints appropriate
error messages and fails as you would expect. Now it is possible to do
a rollback attack from MDC encryption to old style encryption with
negligible amount of garbled data. gpg prints a warning in this case
because it needs to take care of legitimate use of non-MDC encryption
(mail archives or backup scripts originating from the last century which
use CAST5 or 3DES).
The pragmatically solution we implemented is to error out hard for a
missing MDC in the case of AES (or Camellia) but stick to the warning
From CAST5 and 3DES. Clients have enough information to implement
another strategy and that is what Enigmail did yesterday. And soon
they were bugged with complaints "I can't read my old mails anymore" or
"I can't read anymore the mails created by Obscure(tm) OpenPGP
implementations".
The need for backward compatibility is a real curse but after all some
data wants to be decrypted after 20 years. Anyway, for the next major
version of gpg we have implemented a new AEAD method and then we simply
forbid MDC. There might be some migration steps needed by users but at
some point we need to do that.
> If all that is true, I predict that we will see a number of Efail-like
> problems with AEAD ciphers.
Contrary to my first assumption I have no indication that error codes
were not checked by any client. Thus the whole EFFail paper is about
the HTML backchannels.
Note that the above is all about OpenPGP and not about S/MIME.
Salam-Shalom,
Werner
--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180517/73b0b220/attachment.sig>
More information about the cryptography
mailing list