[Cryptography] Vulnerability found in badly broken email apps that use PGP and S/MIME

Ondrej Mikle ondrej.mikle at gmail.com
Fri May 18 20:44:36 EDT 2018 

On 05/17/18 21:33, Werner Koch wrote:
> On Wed, 16 May 2018 14:43, stephan.neuhaus at zhaw.ch said:
> 
>> If I understand correctly, GnuPG does on the one hand use a sort of
>> AE, but does on the other hand indeed not fail hard when the
>> authentication check fails, but at least on the third hand issues an
>> error message, which, however, the email client then proceeds to
>> ignore.
> 
> Not quite.  The MDC (Modification detection code) is used by default for
> 15 years or so.  If the MDC indicates tapering gpg prints appropriate
> error messages and fails as you would expect.  Now it is possible to do
> a rollback attack from MDC encryption to old style encryption with
> negligible amount of garbled data.  gpg prints a warning in this case
> because it needs to take care of legitimate use of non-MDC encryption
> (mail archives or backup scripts originating from the last century which
> use CAST5 or 3DES).
> 
> The pragmatically solution we implemented is to error out hard for a
> missing MDC in the case of AES (or Camellia) but stick to the warning
> From CAST5 and 3DES.  Clients have enough information to implement
> another strategy and that is what Enigmail did yesterday.  And soon
> they were bugged with complaints "I can't read my old mails anymore" or
> "I can't read anymore the mails created by Obscure(tm) OpenPGP
> implementations".

Thanks for this explanation/clarification, there was a lot of misinformation
about it.

I have one note about piping the output of GnuPG decryption to anything. I think
a lot of people don't realize that piping and authenticated encryption are
incompatible unless you have a lot of RAM (for large files).

I tried to think about a way to handle this case the best, but I am not sure if
warning or documentation is enough.

BTW does anyone know what would happen if you "curl https://url.somewhere |
bash" if the stream was large and output (deliberately) corrupted? (I am not
saying that it is a good idea to use curl to pipe to bash, but a lot of people
got used to thinking that since it's https, it's OK - but I don't know what
actually happens when the integrity check fails).

Regards,
  O. Mikle

More information about the cryptography mailing list