A Chosen Ciphertext Attack Against Several E-Mail Encryption Protocols
Several security protocols (PGP, PEM, MOSS, S/MIME, PKCS#7, CMS, etc.) have been developed to proivide confidentialtiy and authentication of electronic mail. These protocols are widely used and trusted for private communication over the Internet. We point out a potentially serous security hole in these protocols: any encrypted e-mail can be decrypted using a one-message, adaptive chosen-ciphertext attack which exploits the structure of the block cipher chaining models used. Although such attacks seem to be of primarily theoretical interest, we argue that they are feasible in the networked systems in which these e-mail protocols are used. We suggest several solutions to protect against this class of attack.