danger of decrypted files without integrity protection

Andrew Gallagher andrewg at andrewg.com
Thu May 17 11:29:26 CEST 2018


On 17/05/18 10:18, Holger Smolinski wrote:
> 2nd variant is attacking CFB mode by injecting CFB gadgets that
> decrypt to some markup, which cause the mail client to leak
> decrypted content. This should be easily prevented by proper
> signature verification as the gadget injection leads to modified
> plaintext.

We need to be careful here to distinguish signatures (that declare an
identity) from integrity protection. Signatures are not required for
integrity, and in many cases are not desirable because they break
anonymity. Integrity protection such as AE and MDC are perfectly good
solutions that don't require a pubkey signature. AE is the "proper" way
to do it as integrity failures can be detected sooner in the decryption
process, but MDC (IFF handled properly by the calling program, which
admittedly is not always the case) is a reasonable fallback.

The solution that we've all known about for ages is to get authenticated
encryption into the standard, but that's not going to happen tomorrow.

-- 
Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180517/368bda1e/attachment-0001.sig>


More information about the Gnupg-devel mailing list