Communications in Cryptology IACR CiC

Legacy Encryption Downgrade Attacks against LibrePGP and CMS

Authors

Falko Strenzke, Johannes Roth
Falko Strenzke ORCID
MTG AG, Darmstadt, Germany
falko dot strenzke at mtg dot de
Johannes Roth ORCID
MTG AG, Darmstadt, Germany
johannes dot roth at mtg dot de

Abstract

This work describes vulnerabilities in the specification of AEAD modes and Key Wrap in two cryptographic message formats. Firstly, this applies to AEAD packets as introduced in the novel LibrePGP specification that is implemented by the widely used GnuPG application. Secondly, we describe vulnerabilities in the AES-based AEAD schemes as well as the Key Wrap Algorithm specified in the Cryptographic Message Syntax (CMS). These new attacks exploit the possibility to downgrade AEAD or AES Key Wrap ciphertexts to valid legacy CFB- or CBC-encrypted related ciphertexts and require that the attacker learns the content of the legacy decryption result. This can happen in two principal ways: either due to the human recipient returning the decryption output to the attacker as a quote or due to a programmatic decryption oracle in the receiving system that reveals information about the plaintext. The attacks effect the decryption of low-entropy plaintext blocks in AEAD ciphertexts and, in the case of LibrePGP, also the manipulation of existing AEAD ciphertexts. For AES Key Wrap in CMS, full key decryption is possible. Some of the attacks require multiple successful oracle queries. The attacks thus demonstrate that CCA2 security is not achieved by the LibrePGP and CMS AEAD or Key Wrap encryption in the presence of a legacy cipher mode decryption oracle. The proper countermeasure to thwart the attacks is a key derivation that ensures the use of unrelated block cipher keys for the different encryption modes.

References

[AFP13]
Nadhem J. Al Fardan and Kenneth G. Paterson. Lucky Thirteen: Breaking the TLS and DTLS Record Protocols. In 2013 IEEE Symposium on Security and Privacy, pages 526-540. 2013. DOI: 10.1109/SP.2013.42
[Ble98]
Daniel Bleichenbacher. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS#1. In CRYPTO, pages 1–12. 1998. Springer-Verlag. DOI: https://doi.org/10.1007/BFb0055716
[BSY18]
Hanno Böck, Juraj Somorovsky, and Craig Young. Return Of Bleichenbacher's Oracle Threat (ROBOT). In Proceedings of the 27th USENIX Conference on Security Symposium, pages 817–832. 2018. https://eprint.iacr.org/2017/1189.pdf
[CDF+07]
J. Callas, L. Donnerhacke, H. Finney, D. Shaw, and R. Thayer. RFC 4880 – OpenPGP Message Format. https://datatracker.ietf.org/doc/html/rfc4880. November 2007.
[Cry]
Cryptography StackExchange Post. Why is plain-hash-then-encrypt not a secure MAC?. https://crypto.stackexchange.com/questions/16428/why-is-plain-hash-then-encrypt-not-a-secure-mac/16431#16431.
[DR]
T. Duong and J. Rizzo. Here come the $⊕$ Ninjas.. Unpublished manuscript, 2011, https://nerdoholic.org/uploads/dergln/beast_part2/ssl_jun21.pdf.
[Dwo04]
Morris Dworkin. NIST Special Publication 800-38C – Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication and Confidentiality . 2004.
[Dwo07]
Morris Dworkin. NIST Special Publication 800-38D – Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC . 2007.
[Dwo12]
Morris Dworkin. NIST Special Publication 800-38F – Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf. December 2012.
[HD09]
R. Housley and M. Dworkin. RFC 5649 — Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm. https://datatracker.ietf.org/doc/html/rfc5649. August 2009.
[Hou07]
R. Housley. RFC 5084 – Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS). https://datatracker.ietf.org/doc/html/rfc5084. November 2007.
[Hou09]
R. Housley. RFC 5652 – Cryptographic Message Syntax (CMS). https://tools.ietf.org/html/rfc5652. 2009.
[Hou25]
R. Housley. RFC 9709 – Encryption Key Derivation in the Cryptographic Message Syntax (CMS) Using HKDF with SHA-256. https://datatracker.ietf.org/doc/rfc9709/. January 2025.
[IPK+23]
Fabian Ising, Damian Poddebniak, Tobias Kappert, Christoph Saatjohann, and Sebastian Schinzel. Content-Type: multipart/oracle - Tapping into Format Oracles in Email End-to-End Encryption. In 32nd USENIX Security Symposium (USENIX Security 23), pages 4175–4192, Anaheim, CA. August 2023. USENIX Association.
[JKS02]
Kahil Jallad, Jonathan Katz, and Bruce Schneier. Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG. In Agnes Hui Chan and Virgil Gligor, editors, Information Security, pages 90–101, Berlin, Heidelberg. 2002. Springer Berlin Heidelberg. DOI: 10.1007/3-540-45811-5_7
[JPS13]
Tibor Jager, Kenneth G. Paterson, and Juraj Somorovsky. One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography. In 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24-27, 2013. 2013. https://www.ndss-symposium.org/ndss2013/ndss-2013-programme/one-bad-apple-backwards-compatibility-attacks-state-art-cryptography/
[KE]
H. Krawczyk and P. Eronen. RFC 5869 — HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
[Koc24]
Werner Koch. Private communication. 2024.
[KR14]
T. Krovetz and P. Rogaway. RFC 7253 – The OCB Authenticated-Encryption Algorithm. https://datatracker.ietf.org/doc/html/rfc7253. 2014.
[KS00]
Jonathan Katz and Bruce Schneier. A Chosen Ciphertext Attack Against Several E-Mail Encryption Protocols. In 9th USENIX Security Symposium (USENIX Security 00), Denver, CO. August 2000. USENIX Association.
[KT23]
W. Koch and R. H. Tse. LibrePGP Message Format. https://www.ietf.org/archive/id/draft-koch-librepgp-00.html#section-5.14. November 2023.
[Mag15]
J. Magazinius. Openpgp seip downgrade attack. http://www.metzdowd.com/pipermail/cryptography/2015-October/026685.html. October 2015.
[MBP+19]
Jens Müller, Marcus Brinkmann, Damian Poddebniak, Sebastian Schinzel, and Jörg Schwenk. Re: What's Up Johnny? – Covert Content Attacks on Email End-to-End Encryption. 2019.
[MRLG15]
Florian Maury, Jean-René Reinhard, Olivier Levillain, and Henri Gilbert. Format Oracles on OpenPGP. In Kaisa Nyberg, editor, Topics in Cryptology — CT-RSA 2015, pages 220–236, Cham. 2015. Springer International Publishing. DOI: 10.1007/978-3-319-16715-2_12 https://www.ssi.gouv.fr/uploads/2015/05/format-Oracles-on-OpenPGP.pdf
[MZ06]
Serge Mister and Robert Zuccherato. An Attack on CFB Mode Encryption as Used by OpenPGP. In Bart Preneel and Stafford Tavares, editors, Selected Areas in Cryptography, pages 82–94, Berlin, Heidelberg. 2006. Springer Berlin Heidelberg. DOI: 10.1007/11693383_6
[Mö14]
Bodo Möller. This POODLE bites: exploiting the SSL 3.0 fallback. https://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html. 2014.
[PDM+18]
Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg Schwenk. Efail: Breaking S/MIME and OpenPGP Email Encryption Using Exfiltration Channels. In Proceedings of the 27th USENIX Conference on Security Symposium, pages 549–566, USA. 2018. USENIX Association.
[Per02]
T. Perrin. Openpgp security analysis. https://www.ietf.org/mail-archive/web/openpgp/current/msg02909.html. September 2002.
[SH02a]
J. Schaad and R. Housley. Advanced Encryption Standard (AES) Key Wrap Algorithm. https://datatracker.ietf.org/doc/html/rfc3394. September 2002.
[SH02b]
J. Schaad and R. Housley. RFC 3394 — Advanced Encryption Standard (AES) Key Wrap Algorithm. https://datatracker.ietf.org/doc/html/rfc3394. September 2002.
[STR19]
J. Schaad, S. Turner, and B. Ramsdell. RFC 8551 – Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0 Message Specification . https://tools.ietf.org/html/rfc8551. 2019.
[Tur11]
S. Turner. RFC 6160 — Algorithms for Cryptographic Message Syntax (CMS) Protection of Symmetric Key Package Content Types. https://datatracker.ietf.org/doc/html/rfc6160. April 2011.
[Vau02]
S. Vaudenay. Security Flaws Induced by CBC Padding – Applications to SSL, IPSEC, WTLS. In Advances in Cryptology – EUROCRYPT 2002, pages 543–545. 2002. Springer-Verlag. DOI: 10.1007/3-540-46035-7_35
[Wag]
David Wagner. Email Subject: Re: BIG question about using and storing IV's. http://www.cs.berkeley.edu/ daw/my-posts/mdc-broken.
[WHWN24]
Ed. Wouters P, D. Huigens, J. Winter, and Y. Niibe. RFC 9580 – OpenPGP. https://www.rfc-editor.org/rfc/rfc9580.html. July 2024.

PDFPDF Open access

History
Submitted: 2025-01-10
Accepted: 2025-03-11
Published: 2025-04-08
How to cite

Falko Strenzke and Johannes Roth, Legacy Encryption Downgrade Attacks against LibrePGP and CMS. IACR Communications in Cryptology, vol. 2, no. 1, Apr 08, 2025, doi: 10.62056/ayl86chdj.

License

Copyright is held by the author(s)

This work is licensed under a Creative Commons Attribution (CC BY) license.