[messaging] Advertising public key in email (was: TOFU to ease PGP key discovery)
Andy Isaacson
adi at hexapodia.org
Wed Feb 11 12:30:17 PST 2015
On Wed, Feb 11, 2015 at 05:56:44AM -0600, Tom Ritter wrote:
> > S/MIME presumably allows it, as messages done this way are still readable
> > without errors. But normally you want to authenticate after encryption,
> > right? Otherwise there can be odd attacks based on bit-flipping that can
> > result in a message that decrypts successfully but doesn't say what the
> > sender thought they said. There have been a bunch of crypto exploits based
> > on this technique over the years.
>
> Only if you're constrained by the format I suppose. You can
> Encrypt+MAC, asymmetrically encrypting a secret that's used to derive
> both the hmac and symmetric keys; or you can asymmetrically encrypt a
> key to be used for an AEAD mode.
>
> PGP has this janky MDC thing
> http://tools.ietf.org/html/rfc4880#section-5.14 that would prevent a
> bitflipped message from getting through, but not side channels or
> attacks on the decryption process.
I'm not certain but I think GnuPG is putting a SHA inside the RSA
encryption of encrypted-but-not-signed messages. pgpdump on the outer
message says:
Old: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0xXXXXXXXXXXXXXXXX
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4094 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02
Old: Public-Key Encrypted Session Key Packet(tag 1)(268 bytes)
New version(3)
Key ID - 0xXXXXXXXXXXXXXXXX
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(2047 bits) - ...
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02
New: Symmetrically Encrypted and MDC Packet(tag 18)(352 bytes)
Ver 1
Encrypted data [sym alg is specified in pub-key encrypted session key]
(plain text + MDC SHA1(20 bytes))
and gpg --list-packets shows the encrypted packets:
:pubkey enc packet: version 3, algo 1, keyid XXXXXXXXXXXXXXXX
data: [4094 bits]
gpg: public key is XXXXXXXX
:pubkey enc packet: version 3, algo 1, keyid XXXXXXXXXXXXXXXX
data: [2047 bits]
gpg: public key is XXXXXXXX
...
:encrypted data packet:
length: 352
mdc_method: 2
mdc_method=2 is DIGEST_ALGO_SHA1.
gpg: AES256 encrypted data
:compressed packet: algo=2
:literal data packet:
mode t (74), created 1423XXXXXX, name="...",
raw data: 337 bytes
I suppose that might be a plaintext unsigned SHA1, though. A simple
bitflip on the data does not inspire confidence,
% gpg --list-packets q
gpg: CRC error; 95C76C - 4B3775
and fixing the CRC (the trailing "=Szd1" line of the PGP MESSAGE) gives:
% gpg --list-packets q
...
:compressed packet: algo=2
gpg: fatal: zlib inflate problem: incorrect data check
secmem usage: 2368/10240 bytes in 5/33 blocks of pool 10592/65536
-andy
More information about the Messaging
mailing list