Sicherheitsevaluation von Kryptografischen Verfahren in OpenPGPSecurity Evaluation of Cryptographic Schemes in OpenPGP

Introduction

OpenPGP is a standard consisting of methods for key management, digital signatures, encryption, and data formats. It is currently defined by RFC 4880 with several extensions. It is mainly utilized for sending end-to-end signed and encrypted emails to allow confidentiality, integrity, and authenticity between sender and recipient. Its cryptography and key management has been proven to be resistant against modern active attackers and was required by Edward Snowden to allow secure communications with him. While man-in-the-middle attacks against TLS connections are easy after infiltrating a certificate authority, OpenPGP provides a more decentralized approach to key distribution and authenticity between originator and sender.

The most common implementations are the open-source command-line program gpg written in C, its corresponding user interfaces like Enigmail, and the Bouncy Castle library written in Java. With Symantec Encryption Desktop and Symantec Encryption Server, two well developed proprietary implementations exist, too.

While the OpenPGP standard keeps its promises and has a sound message syntax and well thought out formats, it also has some weak points. These are for example:

1. Donald T. Davis criticizes simple sign-then-encrypt-schemes like the one used in OpenPGP in his paper "Defective Sign and Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML.". Although this paper was published in 2001, the problems are still relevant. Reading this paper leads to a more fundamental question: What exactly are the semantics of an OpenPGP signature? This question sounds obvious at first, but is actually not answered in OpenPGP's RFC. Does a signature provide integrity, authenticity, or non-repudiation?
2. Symmetric encryption in OpenPGP's standard is not protected by a state-of-the art authenticated encryption algorithm. Most other protocols today employ AES-GCM (Galois-Counter Mode), which is a provably secure authenticated encryption using a MAC (GMAC). OpenPGP however, uses it's own creation called MDC with a fixed hash algorithm. The standard even has a section about future work on this problem. Recently, OpenPGP has been employed on smartphones, virtual servers, and for webmail applications. Does the attack model of OpenPGP still hold in these cases or does it need to be adjusted allowing CCA-attacks?

Tasks

The resulting thesis should contain a detailed security analysis of the OpenPGP standard including the theoretic background of the cryptographic schemes, an attack model, and possible attack scenarios. Available literature must be referenced, while attack scenarios described in the literature should be reproduced. Optionally, exploits should be written and/or available OpenPGP implementations should be improved. Preferably, the results of this thesis could improve the OpenPGP standard itself to make it resistant under new attack models.

• First of all, a comprehensive literature research needs to be done to understand OpenPGP's cryptographic schemes, state-of-the-art cryptographic schemes/protocols, and the severity of the described issues. Some papers exist showing CCA-attacks against OpenPGP; these should be validated and evaluated if the problems have been fixed in recent versions of the RFC.
• OpenPGP's cryptographic schemes should be evaluated and compared with state-of-the-art solutions. What attack scenarios are covered by OpenPGP and which not? Do attack models such as CPA- and CCA-attacks apply to OpenPGP?
• The RFCs must be read and compared with the actual implementations in gpg and Bouncy Castle. Are their workarounds in place to prevent the attacks by Davis or can these issues be exploited in practice? If exploitable, a demonstration should be written in the language of your choice.
• If any issues could be confirmed, possible countermeasures should be proposed and adapted for the OpenPGP standard. Optionally, these could be implemented by Bouncy Castle's OpenPGP classes or gpg.

Supervisors

This thesis will be supervised by Dr. Dominik Schürmann (IBR, CM group) and Dr. Jürgen Koslowski (ITI).

Requirements

For this work a very good understanding of real-world cryptography and protocols is required. To implement countermeasures, good knowledge of Java or C is required.

If you are interested, send an email to Dr. Dominik Schürmann including the following information:

• Course of studies
• Subject-related term
• A small description of your knowledge in cryptography (have you taken the Cryptography courses by the ITI?)

Links

• Adaptive-CCA on OpenPGP revisited
• An attack on CFB mode encryption as used by OpenPGP
• Defective Sign and Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML.
• Discussion on the Cryptography mailinglist: Does PGP use sign-then-encrypt or encrypt-then-sign?
• On the Security of Joint Signature and Encryption
• RFC 4880 OpenPGP Message Format
• RFC 3156 MIME Security with OpenPGP
• RFC 6637 Elliptic Curve Cryptography (ECC) in OpenPGP