Jonas Magazinius <jonas(_dot_)magazinius(_at_)assured(_dot_)se> writes:
I've recently been analysing the OpenPGP standard and have found that it
is vulnerable to a chosen-ciphertext attack to downgrade an SEIP packet
to a plain SE packet.
Part of the reason SEIP and MDC was introduced ~15 years ago was to deal
with exactly this problem.
It's always been a quick hack though. I didn't implement MDC for a long
time because I was waiting for it to be done properly (encrypt-then-MAC),
but eventually I decided that a hack was better than nothing at all. It's
really not hard to do properly, just take what CMS / S/MIME did and convert
the bit-bagging to PGP format . Encrypting a non-keyed hash in CFB mode
of all things is just asking for trouble.
Different implementations handle SE packets differently.
Is the SEIP -> SE rewrite completely transparent, or are there implementation
quirks/peculiarities that make it work in some cases and not others? It'd
be interesting to have a sample of a SEIP message with its SE rewrite to look
 It specifically protects against strip-the-MAC/rewrite-the-message
attacks, but if you *can* find an attack I'd be interested in hearing
openpgp mailing list