[Top] [All Lists]

Re: [openpgp] OpenPGP SEIP downgrade attack

2015-10-05 20:49:54
Jonas Magazinius <jonas(_dot_)magazinius(_at_)assured(_dot_)se> writes:

I've recently been analysing the OpenPGP standard and have found that it 
is vulnerable to a chosen-ciphertext attack to downgrade an SEIP packet 
to a plain SE packet. 

Nice work!

Part of the reason SEIP and MDC was introduced ~15 years ago was to deal 
with exactly this problem. 

It's always been a quick hack though.  I didn't implement MDC for a long 
time because I was waiting for it to be done properly (encrypt-then-MAC),
but eventually I decided that a hack was better than nothing at all.  It's
really not hard to do properly, just take what CMS / S/MIME did and convert
the bit-bagging to PGP format [0].  Encrypting a non-keyed hash in CFB mode 
of all things is just asking for trouble.

Different implementations handle SE packets differently.

Is the SEIP -> SE rewrite completely transparent, or are there implementation
quirks/peculiarities that make it work in some cases and not others?  It'd
be interesting to have a sample of a SEIP message with its SE rewrite to look


[0] It specifically protects against strip-the-MAC/rewrite-the-message 
    attacks, but if you *can* find an attack I'd be interested in hearing 
    about it.
openpgp mailing list

<Prev in Thread] Current Thread [Next in Thread>