Showing bad MDC error when it should be wrong password error when decrypting password-protected message #1406
Replies: 2 comments 2 replies
-
Hi @rrrooommmaaa , the check on the repeated bytes is not implemented for password decryption as it can lead to a known decryption oracle attack. I'm afraid that without carrying out the repeated-bytes check, it is not possible to [always] distinguish whether you gave a wrong password, or whether the message was corrupted. PS: I don't have permissions to access the issue you linked. |
Beta Was this translation helpful? Give feedback.
-
Hey! The gist is: Bouncycastle does the opposite of what OpenPGP.js does (it disables the quick check for public key encrypted data and claims that the attack doesn't affect password based encrypted data). |
Beta Was this translation helpful? Give feedback.
-
We're getting "Modification detected" error instead of expected "Session key decryption failed" when trying to decrypt a symmetrically-encrypted message with certain wrong passwords.
There is an example unit test below. When trying to decrypt this message with a wrong password "wrong pwd", the test fails.
However, it would work with most of other possible wrong passwords, e.g. "wrong pwds".
As I saw from the OpenPGP.js source code, using a wrong password results in giberrish, however if the algorithm specifier octet falls within a range of valid algo enums (about 10 cases out of 256), the decryption process continues with this Session Key to catch an error futher down the road.
To my understanding, 5.7 of RFC4880 defines an additional check of session key validity based on repetition of bytes in the randomly-generated prefix before the actual data of Symmetrically Encrypted Data Packet. Is this applicable and implemented in OpenPGP.js? What could be the reason of this unexpected error message?
Related issue: https://github.com/FlowCrypt/flowcrypt-enterprise-on-prem/issues/1649
Beta Was this translation helpful? Give feedback.
All reactions