EFail mitigations for S/MIME

Uri Blumenthal uri at mit.edu
Thu May 17 01:00:02 CEST 2018

IMHO the correct solution would be to switch to a true Authenticated Encryption mode - like AES-OCB or AES-GCM.

Is there a chance to have this implemented soon?

Sent from my test iPhone

> On May 16, 2018, at 12:34, Ángel <angel at pgp.16bits.net> wrote:
>> On 2018-05-16 at 14:09 +0200, Andre Heinecke wrote:
>> Not really. I also don't think that it needs to be encrypted. 
>> Basically: Alice sends Bob encrypted data and also sends Bob "This is
>> the hash of the plaintext" by signing the plaintext.
>> Then Bobs client can know "This plaintext matches the hash Alice told
>> me about". -> It has not been manipulated.
>> Even if Eve can manipulate the Hash that Alice sends to Bob she can't
>> create a valid Hash for the original plaintext + her modifications.
> At first sight, it looks enough, since it would require already knowing
> the plaintext. However, it is not. You are providing an oracle that
> allows confirming whether a content is the one suspected by the
> attacker.
> Suppose we are in the context of a poll, where Alice sent Bob "The
> president should be Charlie". At the end of the vote, Bob publishes the
> encrypted mails, for auditing reasons.
> Eve wants to know for whom did Alice vote, so she -suspecting she voted
> for Charlie-, extracts the encrypted content, adds her own hash for the
> guessed plaintext, and sends it to the victim (she can perform any
> cipher malleability attack by simply adjusting the final hash).
> If the content is decrypted, it means she guessed right. Otherwise, the
> encrypted contents were different, the decryption failed and she will
> try the attack again with another candidate. (She may even be able to
> test several guesses in a single malicious email)
> You need both pieces to be linked. It could be enough to just include in
> the hash computation a "secret IV" that is stored in the encrypted part,
> but it seems fragile, and at that point, I would simply include the hash
> itself.
> (Obviously, if you were really including a cleartext-signed hash of the
> message, Eve wouldn't need to perform an efail attack at all, as she
> could simply test the hash against the list of people running for
> president)
> Best regards
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel

More information about the Gnupg-devel mailing list