EFail mitigations for S/MIME

Andre Heinecke aheinecke at intevation.de
Wed May 16 14:09:41 CEST 2018


Hi,

On Wednesday, May 16, 2018 1:32:00 PM CEST Werner Koch wrote:
> On Tue, 15 May 2018 14:31, aheinecke at intevation.de said:
> 
> > - Any hash over the plaintext.
> 
> You mean to put a hash as kind of additional data inside the
> EnvelopedData (the CMS name for encrypted dats) to make somthing like
> the OpenPGP MDC?  
> 
> CMS does not allow for this.  What you can do is to put arbitrary
> attributes into the UnprotectedAttributes section.  But as the name
> says, this is unprotected and not encrypted so it differs from an MDC.

Not really. I also don't think that it needs to be encrypted. 

Basically: Alice sends Bob encrypted data and also sends Bob "This is the hash 
of the plaintext" by signing the plaintext.

Then Bobs client can know "This plaintext matches the hash Alice told me 
about". -> It has not been manipulated.
Even if Eve can manipulate the Hash that Alice sends to Bob she can't create a 
valid Hash for the original plaintext + her modifications.

> Anyway, this would be a proprietary extension which does not help with
> interoperability.  If you don't need to be interoperabe with other
> S/MIME implementaion it is anyway better to use OpenPGP.  I would bet
> that many implementations will bail out on that uncommon and optional
> UnprotectedAttributes.

No extension. Basically what I want to do is that for S/MIME HTML Mail / Mails 
with attachments GpgOL will only put the plaintext into Outlook if it also has 
a valid signature. Regardless of the trust in the signature.

I know it's a hack and proper AE would be better but I think it would mitigate 
an EFail style modification attack.


Best Regards,
Andre
-- 
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180516/c086eb49/attachment.sig>


More information about the Gnupg-devel mailing list