
OpenPGP SEIP downgrade attack - mukyu
http://www.metzdowd.com/pipermail/cryptography/2015-October/026685.html
======
tptacek
The flaw he appears to be talking about is that the OpenPGP MDC doesn't cover
metadata; the message must be parsed to recover the authenticator before the
authenticator can be checked, and so the ciphertext is malleable.

The properties he's talking about for CFB are largely true of CTR as well (the
gold standard in streaming modes). I think, by suggesting PGP use a "different
mode", he may instead mean it would be better if PGP used an authenticated
encryption mode.

Authentication is a weak spot for PGP, since its design predates much of
authenticated cryptography.

~~~
throwaway7767
Indeed, further down the thread Werner Koch suggests the solution is deploying
AEAD modes, but the bottleneck is other implementations picking it up.

As an aside, I'm surprised this got posted to cryptography@metzdowd, the S/N
on that list is so low I'm surprised anyone still bothers to read it.

------
adrianN
So the message is: don't trust the integrity of encrypted mails unless the
signature is valid? That doesn't seem too terrible.

------
nickpsecurity
GPG comes through again. Not ideally but acceptably for the paranoids. :)

