Format Oracles on OpenPGP

Maury, Florian; Reinhard, Jean-René; Levillain, Olivier; Gilbert, Henri

doi:10.1007/978-3-319-16715-2_12

Cited by 3 publications

(4 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…If the adversary were able to carry out a MITM attack, then they could intercept and access the messages, and re-encrypt them to the victim's original encryption subkey, to avoid detection. 23…”

Section: Targeting Openpgp Applicationsmentioning

confidence: 99%

“…Nguyen [26] pointed out that RSA and ElGamal encryption do not achieve CCA security as they both use PKCS#1 v1.5 padding [15], which is vulnerable to Bleichenbacher's attack [4]. Other works showed how messages could be recovered by exploiting some oracles exposed when processing unauthenticated data in non-constant-time [23,25] or by tricking the victim into sharing the seemingly-random decrypted data [13,16]. The EFAIL attack [28] showed how plaintext could be exfiltrated by corrupting encrypted messages and exploiting the mishandling of integrity checks by applications.…”

Section: Introductionmentioning

confidence: 99%

“…FlowCrypt and ProtonMail developers were informed about the attacks. At the time of writing, the attacks described in this section are no longer possible 23. Since OpenPGP is vulnerable to surreptitious forwarding[5] unless the signature includes a signed Intended Recipient Fingerprint subpacket, the adversary could also relay any original message signature from the sender.…”

mentioning

confidence: 99%

See 2 more Smart Citations

Victory by KO

Bruseghini

Huigens²,

Paterson

2022

Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

We present a set of attacks on the OpenPGP specification and implementations of it which result in full recovery of users' private keys. The attacks exploit the lack of cryptographic binding between the different fields inside an encrypted private key packet, which include the key algorithm identifier, the cleartext public parameters, and the encrypted private parameters. This allows an attacker who can overwrite certain fields in OpenPGP key packets to perform cross-algorithm attacks, causing a user's software to, for example, misinterpret an ECC private key as being a DSA key. It also allows an attacker to replace the legitimate public parameters with adversarially chosen ones, e.g. allowing them to select the DSA group. We refer to this class of attacks as Key Overwriting (KO) attacks. We provide a detailed analysis of the vulnerability of different OpenPGP libraries to KO attacks, showing in particular that in some cases additional key validation steps performed by libraries that should prevent the attacks in fact allow variant attacks. We also assess the applicability of KO attacks in the context of specific OpenPGP-based applications that reflect different threat models. Finally, we explain how KO attacks can be completely prevented (and the need for key validation obsoleted) at the OpenPGP specification level by expanding the existing proposal of using AEAD schemes for key packet protection to have all the security-relevant public fields included as Associated Data.

show abstract

Section: Targeting Openpgp Applicationsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

mentioning

confidence: 99%

See 1 more Smart Citation

Victory by KO

Bruseghini

Huigens²,

Paterson

2022

Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…These cryptosystems allow the interacting parties to create a shared secret key for a symmetric cipher in such a way that an eavesdropper gets no information useful for cryptanalysis [1,2]. Network protocols that use asymmetric encryption include TLS [3], S/MIME [4], OpenPGP [5], Tor [6] and many others [7].…”

Section: Introductionmentioning

confidence: 99%

Polynomial-Time Plaintext-Recovery Attack on the Matrix-Based Knapsack Cipher

Vambol¹

2020

IJC

View full text Add to dashboard Cite

The aim of the present paper is to propose a polynomial-time plaintext-recovery attack on the matrix-based knapsack cipher. The aforesaid algorithm uses only public information and has time complexity O(t1.34), where t is the decryption time of the attacked cryptosystem. The matrix-based knapsack cipher is a novel additively homomorphic asymmetric encryption scheme, which is a representative of group-based knapsack ciphers. This cryptosystem is based on the isomorphic transformation’s properties of the inner direct product of diagonal subgroups of a general linear group over a Galois field. Unlike the classical knapsack cryptoschemes, the cryptographic strength of the aforesaid cipher depends on the computational complexity of the multidimensional discrete logarithm problem. Due to the attack proposed in the given paper, the matrix-based knapsack cipher can be considered broken and should not be used as a privacy tool. However, this cryptosystem is still suitable for educational purposes as an example of the application of linear and abstract algebras in asymmetric cryptography.

show abstract

File Encryption: PGP

Schwenk

2022

Guide to Internet Cryptography

View full text Add to dashboard Cite

Format Oracles on OpenPGP

Cited by 3 publications

References 17 publications

Victory by KO

Victory by KO

Polynomial-Time Plaintext-Recovery Attack on the Matrix-Based Knapsack Cipher

File Encryption: PGP

Contact Info

Product

Resources

About