[messaging] Advertising public key in email (was: TOFU to ease PGP key discovery)

Andy Isaacson adi at hexapodia.org
Wed Feb 11 12:30:17 PST 2015 

On Wed, Feb 11, 2015 at 05:56:44AM -0600, Tom Ritter wrote:
> > S/MIME presumably allows it, as messages done this way are still readable
> > without errors. But normally you want to authenticate after encryption,
> > right? Otherwise there can be odd attacks based on bit-flipping that can
> > result in a message that decrypts successfully but doesn't say what the
> > sender thought they said. There have been a bunch of crypto exploits based
> > on this technique over the years.
> 
> Only if you're constrained by the format I suppose.  You can
> Encrypt+MAC, asymmetrically encrypting a secret that's used to derive
> both the hmac and symmetric keys; or you can asymmetrically encrypt a
> key to be used for an AEAD mode.
> 
> PGP has this janky MDC thing
> http://tools.ietf.org/html/rfc4880#section-5.14 that would prevent a
> bitflipped message from getting through, but not side channels or
> attacks on the decryption process.

I'm not certain but I think GnuPG is putting a SHA inside the RSA
encryption of encrypted-but-not-signed messages.  pgpdump on the outer
message says:

    Old: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
	    New version(3)
	    Key ID - 0xXXXXXXXXXXXXXXXX
	    Pub alg - RSA Encrypt or Sign(pub 1)
	    RSA m^e mod n(4094 bits) - ...
		    -> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02
    Old: Public-Key Encrypted Session Key Packet(tag 1)(268 bytes)
	    New version(3)
	    Key ID - 0xXXXXXXXXXXXXXXXX
	    Pub alg - RSA Encrypt or Sign(pub 1)
	    RSA m^e mod n(2047 bits) - ...
		    -> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02
    New: Symmetrically Encrypted and MDC Packet(tag 18)(352 bytes)
	    Ver 1
	    Encrypted data [sym alg is specified in pub-key encrypted session key]
		    (plain text + MDC SHA1(20 bytes))

and gpg --list-packets shows the encrypted packets:

    :pubkey enc packet: version 3, algo 1, keyid XXXXXXXXXXXXXXXX
	    data: [4094 bits]
    gpg: public key is XXXXXXXX
    :pubkey enc packet: version 3, algo 1, keyid XXXXXXXXXXXXXXXX
	    data: [2047 bits]
    gpg: public key is XXXXXXXX
    ...
    :encrypted data packet:
	    length: 352
	    mdc_method: 2

mdc_method=2 is DIGEST_ALGO_SHA1.

    gpg: AES256 encrypted data
    :compressed packet: algo=2
    :literal data packet:
	    mode t (74), created 1423XXXXXX, name="...",
	    raw data: 337 bytes

I suppose that might be a plaintext unsigned SHA1, though.  A simple
bitflip on the data does not inspire confidence,

% gpg --list-packets q
gpg: CRC error; 95C76C - 4B3775

and fixing the CRC (the trailing "=Szd1" line of the PGP MESSAGE) gives:

% gpg --list-packets q
...
:compressed packet: algo=2
gpg: fatal: zlib inflate problem: incorrect data check
secmem usage: 2368/10240 bytes in 5/33 blocks of pool 10592/65536

-andy

More information about the Messaging mailing list