This is an old revision of the document!
Authenticated Encryption
OpenPGP is sometimes criticized because it does not support a feature called authenticated encryption (AE).
First off, OpenPGP does not need any sort of AE when used in the usual way. Since OpenPGP is stateless and compatible with offline use, each and every message/file is normally signed.
If you receive a signed message/file and the signature checks OK then you know two things:
- The message was created by the entity that signed it.
- The message was not modified after it was created.
Here are the possibilities when we add AE on top of signatures:
| Valid AE | Invalid AE | |
|---|---|---|
| Valid Signature | AE redundant | impossible |
| Invalid Signature | message as sent | message modified |
| Missing Signature | message as sent | message modified |
So AE only adds value in the case of an invalid or missing signature. In other words; the case of anonymous messages/files.
An anonymous message/file can come from anywhere and be sent by anyone. If that person is up to no good and is hoping to mislead you or attack your end point they can just do that. If there is a requirement for AE they will just produce valid AE. There is no need to modify a message when they are creating the message in the first place. AE is only valuable in messaging or file encryption when you can link it to a particular identity. That can be important for an online, stateful protocol like, say, TLS but the way OpenPGP uses signatures makes AE redundant.
The second point here is that OpenPGP for all practical purposes actually has AE in the form of the modification detection code (MDC). The MDC has never been circumvented in any way that matters. It was shown to reliably detect the well publicized EFAIL attack.
There is a sort of philosophical issue here as well. OpenPGP is a definition of a message format. It can't directly specify how things are implemented. Most AE schemes are some sort of encryption with an integrity check bundled in. How bundled the check is would get lost in a mere message format. OpenPGP already defines an integrity check in the form of the modification detection code (MDC). So a proposed AE scheme for OpenPGP is really just a proposal for an integrity check different than the MDC and there isn't anything wrong with the MDC. Most AE schemes do not include any sort of intrinsic protection against modification like the cipher feedback embodied by OpenPGP. So it is possible that adding an AE mode to OpenPGP would actually make things worse, due to the extra complexity and the loss of intrinsic modification protection.