DidiSoft Ltd. company news, events and announcements.

Should the EFAIL attack concern your PGP applications

A few days ago in the world of applied cryptography especially S/MIME and PGP emails has appeared a new threat – the EFAIL attack.

In this post we are not going to explain again details of the attack itself as a lot has already been published on the Internet, but rather explain do you have to be concerned using any of the DidiSoft OpenPGP products.

The EFAIL attack in breaf

The EFAIL attack in short consists of allowing the receiver to decrypt the data and send it via HTTP request to the intruder. In the examples published in the source article this is done with an image tag artificial inserted by the intruder and the decrypted data sent as an HTTP request parameter for the image tag location (assumed to be on the intruder’s web host).

The main target of the attack is S/MIME and PGP encrypted email messages.

First approach (image tag)

The first approach they use is by modifying the email and introducing a new body part before the encrypted email body part, which contains an unclosed image tag.

Our proposed Solution

When implementing email rendering do not allow unclosed tags in a MIME section and perform HTML purification independently for each MIME body part.

Second approach (CBC/CFB gadget)

The second technique, named CBC/CFB gadget attack, exploits vulnerabilities in OpenPGP (CVE-2017-17688) and S/MIME (CVE-2017-17689).

From the EFAIL article the reader may conclude that the second vulnerability is something that a 12 year old boy can do at home:

“Given the current state of our research, the CFB gadget attack against PGP only has a success rate of approximately one in three attempts”

The reality tends to be different though. This is still an unconfirmed threat to PGP/MIME emails. The current Security Focus state regarding exploits is “Currently, we are not aware of any working exploits“. PGP/MIME emails with Integrity protection packet cannot be modified as of the time of this writing.

Our proposed Solution

When receiving PGP/MIME emails DidiSoft products will rise exception whether or not integrity protection has been set on the incoming data.

When sending PGP/MIME emails to other entities using DidiSoft products, please ensure that integrity check has been turned on!

Conclusion

The EFAIL attack exploits weaknesses in the implementation of some PGP email clients. The mass press coverage raised uncertainty in organizations relying on PGP encryption, but the attack targets PGP email client implementations and not PGP encryption as a whole.

We also recommend  you to read the one page official answer from the core PGP developers.

Read more...

Update to DidiSoft Privacy Policy

The new European General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. We can assure you that all DidiSoft services are fully compliant with GDPR as of today.

Not only is GDPR an important step in protecting the fundamental right to privacy for European citizens, it also raises the bar for data protection, security, and compliance in the industry.

The main three steps we have performed were to ensure that the customers’ data in our database is encrypted, to give you information for all the data we store for you and to ensure the right to erasure (to be forgotten).

Where can I see my data

In our customers’ section you will find a menu GDPR which displays all the information we have for you and your company.

Right to erasure (Act. 17 of GDPR)

In our customers’ section you will find a menu GDPR and a button at the bottom “Delete all my data”.  From there you can erase forever the data we store for you. You can also contact our support department and we can do that for you.

Read more...

Should DidiSoft OpenPGP Library for .NET provide strong name assemblies or unsigned assemblies?

Last week we have sent a short survey to subscribers for our OpenPGP Library for .NET mailing list. The survey had only one question:

Should DidiSoft OpenPGP Library for .NET provide strong name (signed) assemblies (DLL’s) or plain unsigned assemblies?

At the end of this post you will find the results of the survey, but first lets explain why did we made it.

DidiSoft OpenPGP Library for .NET was providing limited PGP emails support due to limitations in the System.Net.Mail namespace implementation regarding the MIME email formats (in fact we supported only PGP-inline emails). Recently we had received a numerous requests for additional support for PGP/MIME email format. In order to implement it we decided to use the open source MimeKit library but this is the moment where we were hit with this case:

+-------+        +---+         +--------+
|   B   +------->+ A +<--------+    D   |
+---+---+        +---+         +--------+
^                               ^
|                               |
|                               |
+---+---+                       +---+---+
|  C.1  |                       |  C.2  |
+-------+                       +-------+

Assembly A needs to use assemblies B and D, which reference different versions of assembly C. Of course this can be resolved with binding redirect in the app.config or dynamically in the AppDomain.CurrentDomain.AssemblyResolve event. But our aim was to provide a DidiSoft.Pgp.Mail.dll which use will be as simple as just referencing it straight away.

Digging for more information in Stackoverflow and MSDN we found out that probably the days when strong named assemblies were a must may have passed away. In order to hear what our community thinks we decided to file the survey. And here are the results:

The results are self explanatory – we must provide both strong named DLLs and unsigned too.

 

Read more...

Merry Xmas and a Happy New Year 2016

We say “Thank you” to all customers and partners for the excellent cooperation and loyalty during the last year.

The entire DidiSoft wish you and your family a happy and healthy holiday season and a prosperous 2016!

Your DidiSoft team

Read more...

OpenPGP standards and references

This page contains a list of public standards related to OpenPGP

Current OpenPGP standard

RFC 4880 – OpenPGP Message format
https://tools.ietf.org/html/rfc4880

RFC 3165 – PGP/MIME
https://tools.ietf.org/html/rfc3156

RFC 6637 – ECC (Elliptic Curve Cryptography) in OpenPGP
https://tools.ietf.org/html/rfc6637

RFC 5581 – Camellia cipher in OpenPGP
https://tools.ietf.org/html/rfc5581

Draft specifications 

SHA-3 in OpenPGP
https://tools.ietf.org/html/draft-jivsov-openpgp-sha3-01

Using DANE to Associate OpenPGP public keys with email addresses
https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-06

OpenPGP HTTP keyserver protocol
https://tools.ietf.org/html/draft-shaw-openpgp-hkp-00

OpenPGP Web Key service
https://tools.ietf.org/id/draft-koch-openpgp-webkey-service-00.txt

Obsolete standards

RFC 1991 – The old OpenPGP message format
https://www.ietf.org/rfc/rfc1991.txt

Read more...

OraPGP version 1.1 has been released

On the 19th of August this year we have released version 1.1 of DidiSoft OraPGP – the OpenPGP cryptography package for Oracle (c) PL/SQL.

What’s new in version 1.1?

Version 1.1 provides custom exception handling strategy in PL/SQL, which was missing in the first version of the package.

There are also overloaded versions of the ORA_PGP.ENCRYPT and ORA_PGP.DECRYPT functions accepting OpenPGP keys as variables of type BLOB. This provides the possibility keys to be loaded from external files through BFILE file handles and directories available to the Oracle (c) Database server through the CREATE DIRECTORY PL/SQL statement.

Upgrade from version 1.0

In order to upgrade from version 1.0 to the current version 1.1, first unload the old version JAR files from the Oracle© database:

dropjava.sh/.bat -r -v – u user/pass [extraction folder]\SetupFiles\jce-jdk13-151.jar
dropjava.sh/.bat -r -v – u user/pass [extraction folder]\SetupFiles\bcpg-jdk13-151.jar
dropjava.sh/.bat -r -v – u user/pass [extraction folder]\SetupFiles\pgplib-2.7.0.jar
dropjava.sh/.bat -r -v – u user/pass [extraction folder]\SetupFiles\ora-pgp-1.0.0.jar

After the old JAR files are unloaded continue to Setup.

Note: Don’t forget to replace above user/password with the database username/schema and password used in the initial Setup.

Read more...

Winter Holidays 2014

As this year approaches toward its end we would like to wish you a Merry Christmas and Happy New Year.

Our support staff will be offline for Christmas 25th of December and on 30, 31 of December and on the 1st of January 2015 and any emails on those dates will eventually be responded on the next working day.

Happy holidays!

Christmas

Read more...

Announcing OraPGP

OpenPGP for Oracle DB

Announcing DidiSoft OraPGP, a package of PL/SQL functions for the Oracle(c) Database platform version 11 and 12 offering OpenPGP cryptography functions.

The package conforms to the OpenPGP standard RFC 4880 and RFC 6637, with compatibility to the older standard RFC 1991.

The package is licensed per server and also an Enterprise wide license is available, which ships with an Enterprise License for DidiSoft OpenPGP Library for Java as an extra add-on.

Read more...

New Year holidays 2013

The end of the year is approaching and probably some of us will take at least a day or two to take some rest and celebrate.

We at DidiSoft will be on vacation from 29th of December 2013 to the 2nd of January 2014. Support requests filed in this period will be reviewed on the 3rd of January 2014.

Thank you for using our products and we wish you a happy Christmas and also happy New Year 2014.

Happy New Year 2014

Read more...