Efail or OpenPGP is safer than S/MIME

Werner Koch wk at gnupg.org
Mon May 14 09:45:51 CEST 2018


Some may have noticed that the EFF has warnings about the use of PGP out
which I consider pretty overblown.  The GnuPG team was not contacted by
the researchers but I got access to version of the paper related to
KMail.  It seems to be the complete paper with just the names of the
other MUAs redacted.

Given that the EFF suggests to deinstall GpgOL, we know tha it is not
vulnerable; see see https://dev.gnupg.org/T3714.).

Here is a response I wrote on the weekend to a reporter who inquired on
this problem.

The topic of that paper is that HTML is used as a back channel to create
an oracle for modified encrypted mails.  It is long known that HTML
mails and in particular external links like <img href="tla.org/TAG"/>
are evil if the MUA actually honors them (which many meanwhile seem to
do again; see all these newsletters).  Due to broken MIME parsers a
bunch of MUAs seem to concatenate decrypted HTML mime parts which makes
it easy to plant such HTML snippets.

There are two ways to mitigate this attack

 - Don't use HTML mails.  Or if you really need to read them use a
   proper MIME parser and disallow any access to external links.

 - Use authenticated encryption.

The latter is actually easy for OpenPGP because we started to use
authenticated encryption (AE) since 2000 or 2001.  Our AE is called MDC
(Modification detection code) and was back then introduced for a very
similar attack.  Unfortunately some OpenPGP implementations were late to
introduce MDC and thus GPG could not fail hard on receiving a mail
without an MDC.  However, an error is returned during decrypting and no
MDC is used:

  gpg: encrypted with 256-bit ECDH key, ID 7F3B7ED4319BCCA8, created 2017-01-01
        "Werner Koch <wk at gnupg.org>"
  [GNUPG:] PLAINTEXT 62 1526109594 
  There is more to life than increasing its speed.
                  -- Mahatma Gandhi
  gpg: WARNING: message was not integrity protected

When giving a filename on the command line an output file is even not
created.  This can't be done in pipe mode because gpg allows to process
huge amounts of data.  MUAs are advised to consider the DECRYPTION_FAILED
status code and not to show the data or at least use a proper way to
display the possible corrupted mail without creating an oracle and to
inform the user that the mail is fishy.

For S/MIME authenticated encryption is not used or implemented in
practice and thus there is no short term way to fix this in S/MIME
except for not using HTML mails.

The upshot of this is that OpenPGP messages are way better protected
against such kind of attacks than S/MIME messages.  Unless, well, the
MUAs are correctly implemented and check error codes!



Some cryptographers turn up their nose at the OpenPGP MDC which is an
ad-hoc AE mode from a time before AE received much research.  However,
it does it job and protects reliable against this and other attacks.
The next OpenPGP revision will bring a real AE mode (EAX or OCB
depending on key preferences) which has other benefits (early detection
of corrupted messages, speed) but it will takes years before it will be
widely deployed and can can actually be used to create messages.

#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180514/efe91a10/attachment-0001.sig>

More information about the Gnupg-users mailing list