small security glitches

Daniel Kahn Gillmor dkg at
Wed Feb 29 19:18:58 CET 2012

On 02/29/2012 10:33 AM, Post Carter wrote:

> An individual intercepts an encrypted email.  He places a plaintext addition within the package, in such a manner that when the originally intended recipient decrypts the message, the symmetric session key also "decrypts" the addition

> But since the plaintext addition was not encrypted (but probably looked encrypted), it is now encrypted to the symmetric session key.

The above two steps are clear so far.

>  If the originally intended recipient then sends this "gibberish" back to the original sender (to inquire about it), the interceptor again intercepts this, and now

i'm assuming that the intended recipient sends the "gibberish" back to
the original sender encrypted, right?  if they send it in the clear,
it's hardly the fault of the cryptosystem that the cleartext was exposed.

> has both his original plaintext addition, and the symmetric session key encryption of that plaintext.

eh?  how does it follow that the attacker has both of these?  afaict,
the attacker has:

 A) the original ciphertext

 B) the modified ciphertext (which they supplied arbitrary data for)

 C) a re-encrypted version of the modified cleartext (reencrypted
    against a different session key, presumably).

>  From this, he is able to reverse the XOR processing of the original encryption to produce the plaintext of the originally intercepted encrypted message. 

I don't understand how this follows either.  where does XOR come in?
Which part of OpenPGP is using XOR here?

At any rate, this is indeed about message integrity; if you want
encrypted integrity, you need your peer to supply an MDC (gpg does this
by default).  If you want verifiable message provenance with message
integrity, you need your peer to sign their messages.

If Alice does something like take an un-verified message, decrypt it,
and then post the plaintext somewhere anyone can look at it, then the
cryptosystem hasn't failed; but alice has stopped using the cryptosystem.


More information about the Gnupg-users mailing list