EFail mitigations for S/MIME

Ángel angel at pgp.16bits.net
Wed May 16 17:30:47 CEST 2018

On 2018-05-16 at 14:09 +0200, Andre Heinecke wrote:
> Not really. I also don't think that it needs to be encrypted. 
> Basically: Alice sends Bob encrypted data and also sends Bob "This is
> the hash of the plaintext" by signing the plaintext.
> Then Bobs client can know "This plaintext matches the hash Alice told
> me about". -> It has not been manipulated.
> Even if Eve can manipulate the Hash that Alice sends to Bob she can't
> create a valid Hash for the original plaintext + her modifications.

At first sight, it looks enough, since it would require already knowing
the plaintext. However, it is not. You are providing an oracle that
allows confirming whether a content is the one suspected by the

Suppose we are in the context of a poll, where Alice sent Bob "The
president should be Charlie". At the end of the vote, Bob publishes the
encrypted mails, for auditing reasons.
Eve wants to know for whom did Alice vote, so she -suspecting she voted
for Charlie-, extracts the encrypted content, adds her own hash for the
guessed plaintext, and sends it to the victim (she can perform any
cipher malleability attack by simply adjusting the final hash).
If the content is decrypted, it means she guessed right. Otherwise, the
encrypted contents were different, the decryption failed and she will
try the attack again with another candidate. (She may even be able to
test several guesses in a single malicious email)

You need both pieces to be linked. It could be enough to just include in
the hash computation a "secret IV" that is stored in the encrypted part,
but it seems fragile, and at that point, I would simply include the hash

(Obviously, if you were really including a cleartext-signed hash of the
message, Eve wouldn't need to perform an efail attack at all, as she
could simply test the hash against the list of people running for

Best regards

More information about the Gnupg-devel mailing list