Werner Koch writes:
> authenticated encryption is different from signed and encrypted mails. > There are relative easy attacks on the encryption layer if standard > encryption modes like CBC (as in S/MIME) are used. Whether this really > affects users is a different question but they can be used to leverage > implementation flaws in MUAs to full plaintext leaks. This is known for > 20 years and made it last year again to the media under the term EFAIL. I'm confused. I thought the whole efail thing was about crafting a plain text message that says "Good signature verified" and fools the user even though it was never run through pgp or had its signature verified with s/mime. > Granted, encrypted+signed mails can to a large extend also mitigate the > threat. But there are still reasons why signatures can't be used or > need to be verified only at a latter time in the workflow. > > OpenPGP had a mitigation against this since 2000 and was widely deployed > by 2003. However S/MIME never implemented this despite of 10 years old > RFCs describing methods for such a mitigation, called authenticated > encryption (AE or AEAD). AFAICS, that is for encryption+sign. If you just want to sign, it sounds like you are saying that is broken. I don't see how. You can't modify the message and keep the hash unchanged, and you can't encrypt a new hash because you don't have the sender's private key. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
