EFail mitigations for S/MIME

Werner Koch wk at gnupg.org
Wed May 16 13:32:00 CEST 2018

On Tue, 15 May 2018 14:31, aheinecke at intevation.de said:

> - Any hash over the plaintext.

You mean to put a hash as kind of additional data inside the
EnvelopedData (the CMS name for encrypted dats) to make somthing like
the OpenPGP MDC?  

CMS does not allow for this.  What you can do is to put arbitrary
attributes into the UnprotectedAttributes section.  But as the name
says, this is unprotected and not encrypted so it differs from an MDC.

Anyway, this would be a proprietary extension which does not help with
interoperability.  If you don't need to be interoperabe with other
S/MIME implementaion it is anyway better to use OpenPGP.  I would bet
that many implementations will bail out on that uncommon and optional

CMS has the AuthenticatedData as a MAC system which could be put around
the EnvelopedData but this features is not implemented in any widely
used client.  The actual extension for authenticated data is RFC-5083
which describes the Authenticated-Enveloped-Data content type.  It can
be used with AES-CCM or AES-GCM as specified in RFC-5084 (urgs) or with
ChaCHa20-poly1305 (RFC-8103).  But well, it is also not implemented. 

If you want to fix CMS this should be used - iff all vendors agree.



# Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken
sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180516/0159de3f/attachment.sig>

More information about the Gnupg-devel mailing list