On 3/19/19 5:21 PM, Derek Atkins wrote:
In what situations would the receiver emit unauthenticated plaintext?
(Neal will probably respond, but let me just state that the current
implementation in GnuPG actually manages the output buffer
asynchronously from AEAD chunk processing, so that it will emit
plaintext from unauthenticated, partially processed chunks.)
Also, who is the
attacker? The Sender? Or a third party?
I'm thinking of something like EFAIL. So, a third-party attacker who
modifies the ciphertext.
EFAIL was more that that -- it was also leveraging the fact that USERS
of OpenPGP would merge the contents of authenticated and
non-authenticated data when presented in e.g. a MIME context, such that
the processor could not differentiate between the protected and
unprotected content.
That's true for some variants of the EFAIL attack (direct exfiltration
of unmodified ciphertexts with MIME wrapping), but not for all (crypto
gadgets exploiting ciphertext malleability and MDC error tolerance).
Thanks,
Marcus
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp