OpenPGP SEIP downgrade attack

OpenPGP SEIP downgrade attack(metzdowd.com)

43 points by mukyu 10 years ago | 5 comments

tptacek 10 years ago |

The flaw he appears to be talking about is that the OpenPGP MDC doesn't cover metadata; the message must be parsed to recover the authenticator before the authenticator can be checked, and so the ciphertext is malleable.

The properties he's talking about for CFB are largely true of CTR as well (the gold standard in streaming modes). I think, by suggesting PGP use a "different mode", he may instead mean it would be better if PGP used an authenticated encryption mode.

Authentication is a weak spot for PGP, since its design predates much of authenticated cryptography.

throwaway7767 10 years ago | |

Indeed, further down the thread Werner Koch suggests the solution is deploying AEAD modes, but the bottleneck is other implementations picking it up.

As an aside, I'm surprised this got posted to cryptography@metzdowd, the S/N on that list is so low I'm surprised anyone still bothers to read it.

nickpsecurity 10 years ago | |

Thanks for the clear translation of the issue.

adrianN 10 years ago |

So the message is: don't trust the integrity of encrypted mails unless the signature is valid? That doesn't seem too terrible.

nickpsecurity 10 years ago |

GPG comes through again. Not ideally but acceptably for the paranoids. :)