Hello, there is a recent analysis of chosen-ciphertext attacks to downgrade a Sym. Encrypted Integrity Protected Data Packet (Tag 18) packet to a plain Symmetrically Encrypted Data Packet (Tag 9).
The author Jonas Magazinius points out: "The implications are among others, that an encrypted and signed message can be stripped of its signature and modified arbitrarily, with certain restrictions, by an attacker without knowing the key." Full details here: http://www.metzdowd.com/pipermail/cryptography/2015-October/026685.html This seems to be known issue for years. GPG triggers a warning when a tag 9 packet (without integrity protection) is used. But this requires the user to understand the implications. And from a practical perspective tag 9 is never used as all relevant PGP implementations create messages only with integrity protection (tag 18). Then why keep this hole open? I propose to deprecate tag 9. With this PR decryption of a message with tag 9 will throw an exception: https://github.com/openpgpjs/openpgpjs/pull/360 For legacy use cases there is the config.enforce_integrity_protection which can be set to false and bring back tag 9. Best, Thomas _______________________________________________ http://openpgpjs.org Subscribe/unsubscribe: http://list.openpgpjs.org
