I guess I have halfway grasped the concepts of PGP, and I’ve halfway understood the concept of the Efail attack. However, I still don’t understand whether such attacks would be possible (and an MDC would be needed) even if all messages had a signature. I have read several dozens of articles about Efail and MDC, but none of them mentioned how signatures come into play.
In my naive understanding, and without much details and over-simplified, and leaving out problems with headers and so on, the following happens when signing and encrypting a message e.g. with GnuPG:
- The message text is hashed.
- The hash is asymmetrically encrypted with the private PGP key of the sender.
- That encrypted hash becomes part of the message text.
- An encryption key for a symmetric encryption method is chosen.
- That symmetric encryption key is asymmetrically encrypted with the public PGP key of the recipient.
- The message is encrypted using the symmetric encryption key.
- The (asymmetrically encrypted) symmetric encryption key becomes part of the message.
In this scenario, i.e. when every message is signed, I can’t understand how Efail attacks would work and why the MDC is recommended. After all, if anybody would tamper with the message during transmission, this would be detected when the signature would be verified. In my naive understanding, the following would happen upon reception:
- The symmetric encryption key is decrypted, using the private PGP key of the recipient.
- The whole message text is decrypted, using the symmetric encryption key.
- The hash of the message text is decrypted, using the public key of the sender.
- The decrypted message text is hashed by the recipient’s client, and the obtained hash is compared with the hash from the previous step. If both hashes are the same, the message has not been modified.
Did I miss something? Is it possible to tamper with signed messages without the recipient knowing about it, provided the recipient’s software always verifies the signature of received messages before doing anything with the message except saving it in decrypted form to disk for further usage?