Communications in Cryptology IACR CiC

Legacy Encryption Downgrade Attacks against LibrePGP and CMS

Authors

Falko Strenzke, Johannes Roth
Falko Strenzke ORCID
MTG AG, Darmstadt, Germany
falko dot strenzke at mtg dot de
Johannes Roth ORCID
MTG AG, Darmstadt, Germany
johannes dot roth at mtg dot de
Keywords: AEAD downgrade CMS LibrePGP decryption-oracle

Abstract

This work describes vulnerabilities in the specification of AEAD modes and Key Wrap in two cryptographic message formats. Firstly, this applies to AEAD packets as introduced in the novel LibrePGP specification that is implemented by the widely used GnuPG application. Secondly, we describe vulnerabilities in the AES-based AEAD schemes as well as the Key Wrap Algorithm specified in the Cryptographic Message Syntax (CMS). These new attacks exploit the possibility to downgrade AEAD or AES Key Wrap ciphertexts to valid legacy CFB- or CBC-encrypted related ciphertexts and require that the attacker learns the content of the legacy decryption result. This can happen in two principal ways: either due to the human recipient returning the decryption output to the attacker as a quote or due to a programmatic decryption oracle in the receiving system that reveals information about the plaintext. The attacks effect the decryption of low-entropy plaintext blocks in AEAD ciphertexts and, in the case of LibrePGP, also the manipulation of existing AEAD ciphertexts. For AES Key Wrap in CMS, full key decryption is possible. Some of the attacks require multiple successful oracle queries. The attacks thus demonstrate that CCA2 security is not achieved by the LibrePGP and CMS AEAD or Key Wrap encryption in the presence of a legacy cipher mode decryption oracle. The proper countermeasure to thwart the attacks is a key derivation that ensures the use of unrelated block cipher keys for the different encryption modes.

References

[AFP13]
Nadhem J. Al Fardan and Kenneth G. Paterson. Lucky Thirteen: Breaking the TLS and DTLS Record Protocols. In 2013 IEEE Symposium on Security and Privacy, pages 526-540. 2013. DOI: 10.1109/SP.2013.42
Google Scholar ePrint
[Ble98]
Daniel Bleichenbacher. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS#1. In CRYPTO, pages 1–12. 1998. Springer-Verlag. DOI: https://doi.org/10.1007/BFb0055716
Google Scholar ePrint
[BSY18]
Hanno Böck, Juraj Somorovsky, and Craig Young. Return Of Bleichenbacher's Oracle Threat (ROBOT). In Proceedings of the 27th USENIX Conference on Security Symposium, pages 817–832. 2018. https://eprint.iacr.org/2017/1189.pdf
Google Scholar ePrint
[CDF+07]
J. Callas, L. Donnerhacke, H. Finney, D. Shaw, and R. Thayer. RFC 4880 – OpenPGP Message Format. https://datatracker.ietf.org/doc/html/rfc4880. November 2007.
Google Scholar ePrint
[Cry]
Cryptography StackExchange Post. Why is plain-hash-then-encrypt not a secure MAC?. https://crypto.stackexchange.com/questions/16428/why-is-plain-hash-then-encrypt-not-a-secure-mac/16431#16431.
Google Scholar ePrint
[DR]
T. Duong and J. Rizzo. Here come the $⊕$ Ninjas.. Unpublished manuscript, 2011, https://nerdoholic.org/uploads/dergln/beast_part2/ssl_jun21.pdf.
Google Scholar ePrint
[Dwo04]
Morris Dworkin. NIST Special Publication 800-38C – Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality . 2004.
Google Scholar ePrint
[Dwo07]
Morris Dworkin. NIST Special Publication 800-38D – Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC . 2007.
Google Scholar ePrint
[Dwo12]
Morris Dworkin. NIST Special Publication 800-38F – Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf. December 2012.
Google Scholar ePrint
[gnu]
Google Scholar ePrint
[HD09]
R. Housley and M. Dworkin. RFC 5649 — Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm. https://datatracker.ietf.org/doc/html/rfc5649. August 2009.
Google Scholar ePrint
[Hou07]
R. Housley. RFC 5084 – Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS). https://datatracker.ietf.org/doc/html/rfc5084. November 2007.
Google Scholar ePrint
[Hou09]
R. Housley. RFC 5652 – Cryptographic Message Syntax (CMS). https://tools.ietf.org/html/rfc5652. 2009.
Google Scholar ePrint
[Hou25]
R. Housley. RFC 9709 – Encryption Key Derivation in the Cryptographic Message Syntax (CMS) Using HKDF with SHA-256. https://datatracker.ietf.org/doc/rfc9709/. January 2025.
Google Scholar ePrint
[IPK+23]
Fabian Ising, Damian Poddebniak, Tobias Kappert, Christoph Saatjohann, and Sebastian Schinzel. Content-Type: multipart/oracle - Tapping into Format Oracles in Email End-to-End Encryption. In 32nd USENIX Security Symposium (USENIX Security 23), pages 4175–4192, Anaheim, CA. August 2023. USENIX Association.
Google Scholar ePrint
[JKS02]
Kahil Jallad, Jonathan Katz, and Bruce Schneier. Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG. In Agnes Hui Chan and Virgil Gligor, editors, Information Security, pages 90–101, Berlin, Heidelberg. 2002. Springer Berlin Heidelberg. DOI: 10.1007/3-540-45811-5_7
Google Scholar ePrint
[JPS13]
Tibor Jager, Kenneth G. Paterson, and Juraj Somorovsky. One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography. In 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24-27, 2013. 2013. https://www.ndss-symposium.org/ndss2013/ndss-2013-programme/one-bad-apple-backwards-compatibility-attacks-state-art-cryptography/
Google Scholar ePrint
[KE]
H. Krawczyk and P. Eronen. RFC 5869 — HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
Google Scholar ePrint
[Koc24]
Werner Koch. Private communication. 2024.
Google Scholar ePrint
[KR14]
T. Krovetz and P. Rogaway. RFC 7253 – The OCB Authenticated-Encryption Algorithm. https://datatracker.ietf.org/doc/html/rfc7253. 2014.
Google Scholar ePrint
[KS00]
Jonathan Katz and Bruce Schneier. A Chosen Ciphertext Attack Against Several E-Mail Encryption Protocols. In 9th USENIX Security Symposium (USENIX Security 00), Denver, CO. August 2000. USENIX Association.
Google Scholar ePrint
[KT23]
W. Koch and R. H. Tse. LibrePGP Message Format. https://www.ietf.org/archive/id/draft-koch-librepgp-00.html#section-5.14. November 2023.
Google Scholar ePrint
[Mag15]
J. Magazinius. Openpgp seip downgrade attack. http://www.metzdowd.com/pipermail/cryptography/2015-October/026685.html. October 2015.
Google Scholar ePrint
[MBP+19]
Jens Müller, Marcus Brinkmann, Damian Poddebniak, Sebastian Schinzel, and Jörg Schwenk. Re: What's Up Johnny? – Covert Content Attacks on Email End-to-End Encryption. 2019.
Google Scholar ePrint
[MRLG15]
Florian Maury, Jean-René Reinhard, Olivier Levillain, and Henri Gilbert. Format Oracles on OpenPGP. In Kaisa Nyberg, editor, Topics in Cryptology — CT-RSA 2015, pages 220–236, Cham. 2015. Springer International Publishing. DOI: 10.1007/978-3-319-16715-2_12 https://www.ssi.gouv.fr/uploads/2015/05/format-Oracles-on-OpenPGP.pdf
Google Scholar ePrint
[MZ06]
Serge Mister and Robert Zuccherato. An Attack on CFB Mode Encryption as Used by OpenPGP. In Bart Preneel and Stafford Tavares, editors, Selected Areas in Cryptography, pages 82–94, Berlin, Heidelberg. 2006. Springer Berlin Heidelberg. DOI: 10.1007/11693383_6
Google Scholar ePrint
[Mö14]
Bodo Möller. This POODLE bites: exploiting the SSL 3.0 fallback. https://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html. 2014.
Google Scholar ePrint
[PDM+18]
Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg Schwenk. Efail: Breaking S/MIME and OpenPGP Email Encryption Using Exfiltration Channels. In Proceedings of the 27th USENIX Conference on Security Symposium, pages 549–566, USA. 2018. USENIX Association.
Google Scholar ePrint
[Per02]
T. Perrin. Openpgp security analysis. https://www.ietf.org/mail-archive/web/openpgp/current/msg02909.html. September 2002.
Google Scholar ePrint
[SH02a]
J. Schaad and R. Housley. Advanced Encryption Standard (AES) Key Wrap Algorithm. https://datatracker.ietf.org/doc/html/rfc3394. September 2002.
Google Scholar ePrint
[SH02b]
J. Schaad and R. Housley. RFC 3394 — Advanced Encryption Standard (AES) Key Wrap Algorithm. https://datatracker.ietf.org/doc/html/rfc3394. September 2002.
Google Scholar ePrint
[STR19]
J. Schaad, S. Turner, and B. Ramsdell. RFC 8551 – Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification . https://tools.ietf.org/html/rfc8551. 2019.
Google Scholar ePrint
[Tur11]
S. Turner. RFC 6160 — Algorithms for Cryptographic Message Syntax (CMS) Protection of Symmetric Key Package Content Types. https://datatracker.ietf.org/doc/html/rfc6160. April 2011.
Google Scholar ePrint
[Vau02]
S. Vaudenay. Security Flaws Induced by CBC Padding – Applications to SSL, IPSEC, WTLS. In Advances in Cryptology – EUROCRYPT 2002, pages 543–545. 2002. Springer-Verlag. DOI: 10.1007/3-540-46035-7_35
Google Scholar ePrint
[Wag]
David Wagner. Email Subject: Re: BIG question about using and storing IV's. http://www.cs.berkeley.edu/ daw/my-posts/mdc-broken.
Google Scholar ePrint
[WHWN24]
Ed. Wouters P, D. Huigens, J. Winter, and Y. Niibe. RFC 9580 – OpenPGP. https://www.rfc-editor.org/rfc/rfc9580.html. July 2024.
Google Scholar ePrint

PDFPDF Open access

DOI: https://doi.org/10.62056/ayl86chdj
History
Submitted: 2025-01-10
Accepted: 2025-03-11
Published: 2025-04-08
How to cite

Falko Strenzke and Johannes Roth, Legacy Encryption Downgrade Attacks against LibrePGP and CMS. IACR Communications in Cryptology, vol. 2, no. 1, Apr 08, 2025, doi: 10.62056/ayl86chdj.

License

Copyright is held by the author(s)

This work is licensed under a Creative Commons Attribution (CC BY) license.