EFail mitigations for S/MIME

Leo Gaspard gnupg at leo.gaspard.ninja
Thu May 17 02:44:01 CEST 2018

On 05/17/2018 01:00 AM, Uri Blumenthal wrote:
> IMHO the correct solution would be to switch to a true Authenticated Encryption mode - like AES-OCB or AES-GCM.
> Is there a chance to have this implemented soon?

AFAIU the attack put forward by Ángel doesn't work against GnuPG's MDC.

That said, the move to a true AE mode is coming with the next standard,
and will I guess be implemented when the standard will be finalized enough.

>> On May 16, 2018, at 12:34, Ángel <angel at pgp.16bits.net> wrote:
>>> On 2018-05-16 at 14:09 +0200, Andre Heinecke wrote:
>>> Not really. I also don't think that it needs to be encrypted. 
>>> Basically: Alice sends Bob encrypted data and also sends Bob "This is
>>> the hash of the plaintext" by signing the plaintext.
>>> Then Bobs client can know "This plaintext matches the hash Alice told
>>> me about". -> It has not been manipulated.
>>> Even if Eve can manipulate the Hash that Alice sends to Bob she can't
>>> create a valid Hash for the original plaintext + her modifications.
>> At first sight, it looks enough, since it would require already knowing
>> the plaintext. However, it is not. You are providing an oracle that
>> allows confirming whether a content is the one suspected by the
>> attacker.
>> Suppose we are in the context of a poll, where Alice sent Bob "The
>> president should be Charlie". At the end of the vote, Bob publishes the
>> encrypted mails, for auditing reasons.
>> Eve wants to know for whom did Alice vote, so she -suspecting she voted
>> for Charlie-, extracts the encrypted content, adds her own hash for the
>> guessed plaintext, and sends it to the victim (she can perform any
>> cipher malleability attack by simply adjusting the final hash).
>> If the content is decrypted, it means she guessed right. Otherwise, the
>> encrypted contents were different, the decryption failed and she will
>> try the attack again with another candidate. (She may even be able to
>> test several guesses in a single malicious email)
>> You need both pieces to be linked. It could be enough to just include in
>> the hash computation a "secret IV" that is stored in the encrypted part,
>> but it seems fragile, and at that point, I would simply include the hash
>> itself.
>> (Obviously, if you were really including a cleartext-signed hash of the
>> message, Eve wouldn't need to perform an efail attack at all, as she
>> could simply test the hash against the list of people running for
>> president)
>> Best regards
>> _______________________________________________
>> Gnupg-devel mailing list
>> Gnupg-devel at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel

More information about the Gnupg-devel mailing list