Re: [openpgp] OpenPGP SEIP downgrade attack

Werner Koch <> Mon, 05 October 2015 18:16 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 14EC41B32A6 for <>; Mon, 5 Oct 2015 11:16:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yXyJhH776aOB for <>; Mon, 5 Oct 2015 11:16:05 -0700 (PDT)
Received: from ( [IPv6:2001:aa8:fff1:100::22]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0EFAD1B328D for <>; Mon, 5 Oct 2015 11:16:05 -0700 (PDT)
Received: from uucp by with local-rmail (Exim 4.80 #2 (Debian)) id 1ZjAIs-0004fU-VX for <>; Mon, 05 Oct 2015 20:16:03 +0200
Received: from wk by with local (Exim 4.84 #3 (Debian)) id 1ZjAGB-0008Jk-Qb; Mon, 05 Oct 2015 20:13:15 +0200
From: Werner Koch <>
To: Jonas Magazinius <>
References: <>
Organisation: g10 Code GmbH
X-message-flag: Mails containing HTML will not be read! Please send only plain text.
OpenPGP: id=F2AD85AC1E42B367;
Mail-Followup-To: Jonas Magazinius <>,,,
Date: Mon, 05 Oct 2015 20:13:15 +0200
In-Reply-To: <> (Jonas Magazinius's message of "Mon, 5 Oct 2015 16:07:50 +0200")
Message-ID: <>
User-Agent: Gnus/5.13 (Gnus v5.13)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Archived-At: <>
Subject: Re: [openpgp] OpenPGP SEIP downgrade attack
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 05 Oct 2015 18:16:07 -0000

On Mon,  5 Oct 2015 16:07, said:

> predictable message structure, it is possible to switch the SEIP tag to
> SE, strip the MDC (and signature), and align and manipulate the

> protection has been questioned now and then over the years [1,2], but
> it's been maintained that it is secure against this kind of attack [3].

Well, I assumed that this is the case (my "Yes") but in the next mail
Trevor explained that this is not true.  More important however is my
remark that we need to get MDC deployed so that we can issue an error
for non MDC packets instead of just a warning.

AFAIK, there are still implementations not supporting MDC and a small
number of folks loudly complaining when I removed PGP-2 support.

> A large part of the problem here is due to CFB mode, but it seems we're
> stuck with that. It would make sense to use a different mode, but again
> I understand the legacy issues.

One of the goals of 4880bis is:

  - A symmetric encryption mechanism that offers modern message
    integrity protection (AEAD)



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.