Showing bad MDC error when it should be wrong password error when decrypting password-protected message

[rrrooommmaaa]

• OpenPGP.js version: 4.10.10
• Affected platform (Browser or Node.js version): both

We're getting "Modification detected" error instead of expected "Session key decryption failed" when trying to decrypt a symmetrically-encrypted message with certain wrong passwords.

There is an example unit test below. When trying to decrypt this message with a wrong password "wrong pwd", the test fails.
However, it would work with most of other possible wrong passwords, e.g. "wrong pwds".
As I saw from the OpenPGP.js source code, using a wrong password results in giberrish, however if the algorithm specifier octet falls within a range of valid algo enums (about 10 cases out of 256), the decryption process continues with this Session Key to catch an error futher down the road.

To my understanding, 5.7 of RFC4880 defines an additional check of session key validity based on repetition of bytes in the randomly-generated prefix before the actual data of Symmetrically Encrypted Data Packet. Is this applicable and implemented in OpenPGP.js? What could be the reason of this unexpected error message?

      it('should not decrypt with wrong password', async function() {
        const encrypted =
          `-----BEGIN PGP MESSAGE-----
Version: FlowCrypt 7.5.9 Gmail Encryption
Comment: Seamlessly send and receive encrypted email

wcFMAzBfgamu0SA1ARAAsVO7mCvul8NuZL3FhjAtGMvKOwx74lcr6XX2n8AP
E9TxNJOGuS8HshcI2kxap3PKusS0ZT40wnHc095PdqVRSH+PJ/69DQb84GSa
VmOFH4bV/JBgiC9t+4kvNQL/epxrTajPMG0l8vNwRGbsuB70aMlvMgfHKiC5
N8bcf1p7TPnMInfcv/tQH35MnjyPi0xVjN2NOXUNQacyEHUfhSjWm049qWP/
mvoZDWdWaW4qU7CWkBSm+vl4o6k6IHiRYIKoG4OYAwhrNSNA4vhcjZc/ABI6
aCtsD8+0Ts+mcNDbIdfNnLxT1yqhv46CEfFMyDdZ2BkYJkasECkwCKRtoMBN
+RcPB28a+OQH/Sv2g/NCzmpQe9dZBWWRyVv1HbOqxE7LH2/IHolDg+GrL1ut
j1T0bKvf//1o/WHwRHfes05dD4J5l+bDVykS9gmdeAUOyQPGw+rucSyPDwXC
FbngRropLlCiGSu9L08uxquLIq80f5HUML5xM3E9M2/v9mt/SnSjcwU47zPs
5T91q9AS8eiGS4kBzmF1NGosDX3s1CC1Vw8QjcN45zcIMgXxEQl5fDAD+nLY
49+VanZtcJo5AFlBczVFhDR2HIeGyaau3Kxcxa6CsmGIFjoM2RS/FkbLqKKY
leYGJYTZKiRSTTOhSZWgwnn6Pk4hewEdqhE4PAJxHTTDLgQJAwjuV5FCYxZT
4eDKWmMYMyGgMlOZ1/zFS7RQTvA35f2JIzSqO41EgX1ga6bSwtIBspb22z2+
ngCjl3FSWWFeKDgmq8DBIe4qGsQqVTvVXR4V44xiEh651nQPY3jMmAysByYn
JxKWo6Lwew3Z+IHK7AtK+i5asqNGluRuqIY+QgdVRbdJl678Lzo2ImtPjnaN
Wbz4xmk+lJVuyTxiK8hnEVZUPiYogniQ6ZgzTiKjkDiL7OjdxVwm/ZAnoHNv
W6e994A0g3PQ6k6Lon/pd0aYkfMBpo8CXWq+0CRX9Uqux/FziZ9kAnPlS56o
XQWJISz/F5ZlbcMTjzfBX83FY/G/hTiuu0bo0sBhOYKKeo6+thmbPiGDjIuG
hTnw4avIimw1Qqavj08mq0wbfPEQ9DakTfc6IUcqVKkyceBV6k95D9g8EfYc
mSXxlHwR/KLZKE50dUfFYOHv9FtrbFYO9wkTcddT6N5Y/RxfaOqEhNQWsrFO
BlXfhezebmGzqUc/qFbnJYWoIAicP8hAs+0gOTKVNafyMuD7Q2ruh2/41h/i
Iboa0EGJ4eNNSIAvJZ6ehDnTbPLp/9YYIrBoIGLZYNXyeF7bCllwnNdV6MhC
fhsU+ekP2Dr0dk7WdCAOLmeLoPzZnTHMUeaqRFYSM2dqVt35mMO7beDrCfnW
Q2wW+lSaNMyHHs4ao7PkBIcr92VJMCCiFuQ7SOFsGSGMgOeoIWmQxbUhuqcS
RUhoEspQRhQ/Ly4AlEdYRIOvHclyi8yAVyJE3xxInIfBHxdkon3h6qS5iRyD
WrVhBuXMir9bHqqUym/N7OVmDa47cf7/DNEK0SEFRRWIQh+6KmpDk2Xe5uL+
gTzcCID3/oEcmq5t3aOKFA8PVZ9qy9EKLzSVL/mHxrzBHFamo+5Vrq/+GHC4
bTZkMSGiJ6JL4qsR/Sdzk8hmNY+7JNx72m9YO9X8wQuFzlLrQvdICngOUBlG
2wo8QyggQyOeNdGF1Ys7skolmr80WfKr7We5aOEYn+zRaTM6k3f843LJWhNG
jkZgvkrYlQAF8e5V09Yr8Vx3YF6zMJyt4c7VGIfaxv25J6xNYbH/bRGY3Stf
rUHGK+rXNCMK8uobFqq0iTOorh3BXgYsM7eN/xWQyxDS8un75M2j8p+cAsyf
HXN3SDW8JAr9xyoj5iZpBPf7+Nht9p5e3LfzjoXa6H2Ls+V8cCZiO+bmKutL
MAbht0v3nw56jNgUL8QsLtUwdCgDuNDP2IL9JO239o2t0gBOlfapvcjxMGPe
coIlduJiUw==
=CRev
-----END PGP MESSAGE-----`;
        const decOpt = {
          message: await openpgp.readMessage({ armoredMessage: encrypted }),
          passwords: ['wrong pwd']
        };
        await expect(openpgp.decrypt(decOpt)).to.be.rejectedWith(/Session key decryption failed/);
      });

Related issue: https://github.com/FlowCrypt/flowcrypt-enterprise-on-prem/issues/1649

[larabr]

Hi @rrrooommmaaa , the check on the repeated bytes is not implemented for password decryption as it can lead to a known decryption oracle attack.
The reason why the error message is inconsistent, is that Session key decryption failed will still be shown if the session key decrypts to something random and containing an invalid cipher algorithm value.

I'm afraid that without carrying out the repeated-bytes check, it is not possible to [always] distinguish whether you gave a wrong password, or whether the message was corrupted.

PS: I don't have permissions to access the issue you linked.

[vanitasvitae]

Hey!
This issue also affects PGPainless, although in a slightly different way.
I wrote down my thoughts about this in this reply.

The gist is: Bouncycastle does the opposite of what OpenPGP.js does (it disables the quick check for public key encrypted data and claims that the attack doesn't affect password based encrypted data).
I personally don't see any reason why the oracle attack should affect password- and public key based encryption differently, as the attack is based on session keys, which are used equally in both cases.

[larabr]

Hi @vanitasvitae , public-key-encrypted session key packets include a checksum field that makes it possible to determine decryption correctness after session key decryption (and before using the session key). This is not the case for password-protected session keys.

Edit: just to clarify, OpenPGP.js never carries out the quick check, but it's only a [potential] "performance issue" for password-based encryption.

[vanitasvitae]

I see, thank you for your feedback :)