The Call of the Open Sidewalk

From a place slightly to the side of the more popular path

User Tools

Site Tools


Authenticated Encryption

PGP is sometimes criticized because it does not support a feature called authenticated encryption(AE). PGP is very flexible and is used in many contexts so I can not say that AE would not be valuable in all those cases. This is about why it is not that valuable in the typical messaging case.

PGP uses a type of encryption with a property that a professional cryptographer might refer to as malleability. This causes two potential issues.

The first and normally the most significant issue associated with malleability is that it might be possible to learn the contents of an encrypted message. This involves a process of repeated tests where the encrypted data is submitted in different ways and the results are used to refine the guesses. This sort of attack is called an oracle attack. PGP messaging is not generally susceptible to oracle attacks so the most serious risk is negated.

The second issue is that a message might be changed in some way that might mislead the recipient. AE would allow the recipient to detect such changes.

PGP currently uses signatures to detect message changes. If you receive a message and the signature checks OK then you know two things:

  • The message was created by the entity that signed it.
  • The message was not modified after it was created.

Signatures are conceptually simple and straightforward.

Here are the possibilities when we add AE on top of signatures:

Valid AE Invalid AE
Valid Signature AE redundant impossible
Invalid Signature message as sent message modified
Missing Signature message as sent message modified

So AE only adds value in the case of an invalid or missing signature. In other words; the case of anonymous messages.

An anonymous message can come from anywhere and be sent by anyone. If that person is up to no good and is hoping to mislead you or attack your end point they can just do that. If there is a requirement for AE they will just produce valid AE. There is no need to modify a message when they are creating the message in the first place. AE is only valuable in messaging when you can link it to a particular identity. PGP already has signatures for that.

… and what are you going to tell the user when the AE goes wrong? You can't just ignore the whole thing like you can do in other applications. The user sees they have an email and attempts to view it. That's when the AE fails. What would the error message be that would allow the user to make a good decision going forward? What if the user wants to see it even though it is wrong? They deserve the chance to figure out what went wrong, particularly if they are under some sort of attack.

There have been some attacks against the malleability of PGP encryption over the years. They lack the possibility of practical application.

One attack5) against inherently insecure content (HTML email) uses malleability to trigger leakage of an encrypted email. The attack requires knowledge of the first 11 bytes of the pre-encrypted message. It would cause the signature to fail and would result in an anonymous message. Use of the attack would immediately be noticed by the recipient. There were much easier and much more reliable ways found to trigger this leakage than malleability.

The researchers noted that email clients handled the failure of the PGP MDC integrity check caused by the attack very inconsistently and not always in a useful way. This fact tends to support my previous comments about the user interface problem created by adding a AE check to PGP. An AE failure is the same type of failure as an MDC failure and would have to be treated in the same way.

Another attack6) uses malleability to enhance social engineering. An encrypted message is modified to make it look like a bunch of random junk. Then the recipient is tricked somehow into decrypting the anonymous message (the signature would fail) and sending it back to the attacker. The attacker would undo the modification and get back a decrypted message.

The idea of adding some form of authenticated encryption to PGP is not entirely without merit but the absence of it is in no way any sort of a crisis, particularly in the case of messaging…

There is a sort of philosophical issue here as well. OpenPGP is a definition of a message format. It can't really specify how things are implemented. Most AE schemes are some sort of encryption with an integrity check bundled in. How bundled the check is would get lost in a mere message format. OpenPGP already defines an integrity check in the form of the modification detection code (MDC). So a proposed AE scheme for OpenPGP is really just a proposal for an integrity check different than the MDC and there isn't anything horribly wrong with the MDC. Most AE schemes do not include any sort of intrinsic protection against modification like the cipher feedback embodied by OpenPGP. So it is quite possible that adding an AE mode would actually make things worse, due to the extra complexity and the loss of intrinsic modification protection.

PGP FAN index

pgpfan/authenticated.txt · Last modified: 2021/07/29 20:53 by b.walzer