Hi Everyone,

This made my radar recently: https://eprint.iacr.org/2021/923.pdf. The
interesting thing about the attack is, App A is considered secure in
isolation, and App B is considered secure in isolation, but when
interacting App A and B produce an insecure result.

We've seen bad interactions among components within the same app
before, like incorrectly combining authentication and encryption. But
in this case it is not the same app. Rather, the vulnerability is a
product of two distinct apps using slightly different implementation
details sharing data.

I'm wondering if there's a CVE to cover the scenario. Looking through
existing CVEs I don't see one that jumps out at me.


Here's from the abstract of the paper:

... ElGamal encryption has been used in many
different contexts, chiefly among them by the OpenPGP standard.
Despite its simplicity, or perhaps because of it, in reality there is a
large degree of ambiguity on several key aspects of the cipher. Each
library in the OpenPGP ecosystem seems to have implemented a
slightly different “flavour” of ElGamal encryption. While –taken in
isolation– each implementation may be secure, we reveal that in the
interoperable world of OpenPGP, unforeseen cross-configuration
attacks become possible. Concretely, we propose different such
attacks and show their practical efficacy by recovering plaintexts
and even secret keys.

Reply via email to