Re: [openpgp] OpenPGP SEIP downgrade attack

Werner Koch <wk@gnupg.org> Mon, 05 October 2015 18:16 UTC

Return-Path: <wk@gnupg.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14EC41B32A6 for <openpgp@ietfa.amsl.com>; Mon, 5 Oct 2015 11:16:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yXyJhH776aOB for <openpgp@ietfa.amsl.com>; Mon, 5 Oct 2015 11:16:05 -0700 (PDT)
Received: from kerckhoffs.g10code.com (kerckhoffs.g10code.com [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EFAD1B328D for <openpgp@ietf.org>; Mon, 5 Oct 2015 11:16:05 -0700 (PDT)
Received: from uucp by kerckhoffs.g10code.com with local-rmail (Exim 4.80 #2 (Debian)) id 1ZjAIs-0004fU-VX for <openpgp@ietf.org>; Mon, 05 Oct 2015 20:16:03 +0200
Received: from wk by vigenere.g10code.de with local (Exim 4.84 #3 (Debian)) id 1ZjAGB-0008Jk-Qb; Mon, 05 Oct 2015 20:13:15 +0200
From: Werner Koch <wk@gnupg.org>
To: Jonas Magazinius <jonas.magazinius@assured.se>
References: <56128436.40607@assured.se>
Organisation: g10 Code GmbH
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
OpenPGP: id=F2AD85AC1E42B367; url=finger:wk@g10code.com
Mail-Followup-To: Jonas Magazinius <jonas.magazinius@assured.se>, openpgp@ietf.org, cryptography@metzdowd.com, cfrg@mail.ietf.org
Date: Mon, 05 Oct 2015 20:13:15 +0200
In-Reply-To: <56128436.40607@assured.se> (Jonas Magazinius's message of "Mon, 5 Oct 2015 16:07:50 +0200")
Message-ID: <87y4fh4210.fsf@vigenere.g10code.de>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/9uJYltQjfOaTKlnarJoDYnLXNzc>
Cc: cfrg@mail.ietf.org, openpgp@ietf.org, cryptography@metzdowd.com
Subject: Re: [openpgp] OpenPGP SEIP downgrade attack
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2015 18:16:07 -0000

On Mon,  5 Oct 2015 16:07, jonas.magazinius@assured.se said:

> predictable message structure, it is possible to switch the SEIP tag to
> SE, strip the MDC (and signature), and align and manipulate the

> protection has been questioned now and then over the years [1,2], but
> it's been maintained that it is secure against this kind of attack [3].

Well, I assumed that this is the case (my "Yes") but in the next mail
Trevor explained that this is not true.  More important however is my
remark that we need to get MDC deployed so that we can issue an error
for non MDC packets instead of just a warning.

AFAIK, there are still implementations not supporting MDC and a small
number of folks loudly complaining when I removed PGP-2 support.

> A large part of the problem here is due to CFB mode, but it seems we're
> stuck with that. It would make sense to use a different mode, but again
> I understand the legacy issues.

One of the goals of 4880bis is:

  - A symmetric encryption mechanism that offers modern message
    integrity protection (AEAD)



Shalom-Salam,

   Werner


-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.