Resolving "Message integrity" Errors

[Patrick Brunschwig]

Overview

Due to the Efail vulnerability, we disabled in Enimgail 2.0.4 the decryption of messages that are not protected with a Modification Detection Code (MDC). The reason is that an attacker can modify encrypted messages without MDC and interpret from this some bits of your secret key.

To fix "Message Integrity Errors", you need to ensure that both you and your communication partners enable MDC on their keys. The following instructions need to be performed for each key, by both you and your partners:

1. open a command line prompt
2. execute the following command:

gpg --edit-key 0xYourKeyId setpref save

If you are asked if you "really want to update the preferences", type Y. You may be prompted at this point for your passphrase.

Then re-distribute your key to your communication partners and/or update it on the key servers.

Decrypting old Messages

With Enigmail 2.0.6, we implemented the following two options to decrypt old messages. We strongly recommend that you only follow the steps below with old messages, and not with newly received messages!

• Option 1: create a decrypted copy of emails (using Right Mouse Click on the selected message(s) > Decrypt to folder). Only do this if you trust your provider.
• Option 2: re-encrypt the messages with your updated key. This requires that you to create a new filter that you can apply on old messages (menu Tools > Message Filters). Create a new filter that is only executed manually and select the action Encrypt to key (Enigmail). Type your key ID into the text field. To re-encrypt the messages, selecting them and then choose menu Tools > Run Filters on Selected Messages.

Note: this will still not allow you to decrypt messages that have no MDC protection. You will need to do this on the command line for the time being.

Technical Background

MDC was introduced in 2001 and is enabled by default for new keys in GnuPG since 2003. However, old keys that use old algorithms like 3DES and CAST5 don't automatically profit from MDC. The setpref command modifies two thigs:
enable modern algorithms like AES
enable MDC

Both these options are only relevant for new messages.

[Gary Van Cott]

Note: this will still not allow you to decrypt messages that have no MDC protection. You will need to do this on the command line for the time being.

Do you have a link that shows how to do this? Thanks,
Gary

[Patrick Brunschwig]

You will need to view the message source (menu View > Message Source), Copy the complete part starting with

-----BEGIN PGP MESSAGE-----
...
-----END PGP MESSAGE-----

Open a command line prompt and type:

gpg -d

Then paste the copied message source. At the end hit enter followed by Ctrl-Z (Windows) or Ctrl-D (Linux/macOS/other Unixes).

[Gary Van Cott]

Thanks, the command line decryption worked.

gpg --edit-key 0xYourKeyId setpref save
This did not. Do I need to be in a specific directory?

[Patrick Brunschwig]

You need to send the updated key to the party that encrypts your mail, and they need to do the same for their key. Once that's done, any new mails should be working again - unless the sender uses an OpenPGP implementation that does not create MDC.

[Bender]

I have been unable to get enigmail to decrypt any messages sent from symantec pgp even though keys created with pgp have the MDC flag turned on this has broken 90% of my users encrypted communications. Is this an intended feature or something i'm doing wrong?

[Henning Mersch]

Hi
I have tons of PGPencrypted mails in my archive.
--> How could I decrypt my old mails, which do not have MDC?
BR - Henning

[Patrick Brunschwig]

I'm sorry, but the only way is through the command line. There is no other way.

MDC was introduced 17 years ago, and in the light of the severe weaknesses that have been discovered, it's about time to enforce it. We (the OpenPGP community) should have done this already many years ago.

There is no way to distinguish old from new mails, therefore the only way to go forward is to use the command line for old mails.

[Patrick Brunschwig]

There is one more thing I should add here. If your key doesn't support MDC, it's very likely that your key also doesn't support AES, otherwise you would have had error messages in Enigmail for about the last 10 years.

But if your key doesn't support AES, then you still encrypt your mails with encryption algorithms that are not recommended anymore, or even considered weak, like 3DES and CAST5.

[Tomas Potok]

Hi Patrick :)

This is a real productivity killer for us as many at our 100 person company have mail archives dating back more than 10 years...
(The oldest key we found to support MDC was from 2008.)

Please consider adding a way to read old emails with some warning.

Thanks,
Tomas

[Patrick Brunschwig]

I will look into this, but it's certainly not something I can do in short term.

[Jiri Kaderavek]

Please consider adding this option. Even browser allow you to skip the exception raised with unsecure certificate. Backward compatibility with clear warning is definitely the right option (for example, I use Enigmail to protect my drafts and if enigmail will allow me and others to reencrypt them with secure key, this will be clear benefit to security and goo message to your loyal users).

[Henning Mersch]

Hi
I have PGP encrpyted mails older than 10 years - my 1st key was from 2001.
So its not about my current key and currently sent mails - its about accessing mails from the archive nearly 20 years old. They are existing, I have the (old) keys but I cant access them anymore.
--> Do I really need to decrypt them and store them unencrypted? Should we then state as a consequence "enigmail w/ PGP is not for archiveing mails - its just for transfer, since tooling will change and you might not be able to access your PGP-encrpyted mails later".
--> Do we need an option "whenever seeing an encrpyted mail, store it unencrypted"?

1) Could enigmail just raise a warning popup if a non-MDC mail is about to be decrpyted?
2) If I understood correctly MDC is only adding security if there is no "real" signature. So could enigmail decrypt mails, which are signed (and do not have MDC)?

BR - Henning

[Patrick Brunschwig]

No, signatures don't solve the problem. The signature is created before the message is encrypted.

The threat behind "no MDC" is that an attacker knowing the decrypted content of a set of messages (any modified variants thereof) can derive parts of your secret key from it. If that happens, your secret key is compromised. Whether your messages are 20 years or 10 seconds old makes no difference.

That's why people consider S/MIME broken - there is no thing like MDC for S/MIME.

[Rob]

--> Do I really need to decrypt them and store them unencrypted? Should
we then state as a consequence "enigmail w/ PGP is not for archiveing
mails - its just for transfer, since tooling will change and you might
not be able to access your PGP-encrpyted mails later".

You could decrypt them and re-encrypt them under a new certificate;
that's possible. (Recommended, in fact.)

1) Could enigmail just raise a warning popup if a non-MDC mail is about
to be decrpyted?

This would be a bad idea. It would just condition people to click "yes"
without thinking about the implications. After a few years people would
be complaining about this warning message that "doesn't do anything
useful and I just click 'Yes' through it".

2) If I understood correctly MDC is only adding security if there is no
"real" signature. So could enigmail decrypt mails, which are signed (and
do not have MDC)?

This is a misunderstanding of MDCs.

[Zenon Panoussis]

I have the same problem and worse, so I simply compiled my own enigmail minus the MDC fail. Here's how:

1. Download the source: https://gitlab.com/enigmail/enigmail/-/archive/master/enigmail-master.zip
2. Unzip it and cd into the enigmail-master directory.

3. edit package/errorHandling.jsm and delete the following lines (currently 307-314)

   if (mdcMethod === "0" && aeadAlgo === "0") {
   c.statusFlags |= EnigmailConstants.MISSING_MDC;
   c.statusFlags |= EnigmailConstants.DECRYPTION_FAILED; // be sure to fail
   c.flag = EnigmailConstants.MISSING_MDC;
   EnigmailLog.DEBUG("errorHandling.jsm: missing MDC!\n");
   c.retStatusObj.statusMsg += EnigmailLocale.getString("missingMdcError") + "\n";
   }

4. Run ./build.sh

5. Delete your current enigmail and install the xpi in enigmail-master/build/
6. In thunderbird go Tools -> Add-ons -> Extensions -> Enigmail -> More and set automatic updates off.

It's a five-minute job all in all and the problem is solved.

[lsr]

OMG Thank you so much @Zenon Panoussis!! I registered here soleley to express my thanks for your post - it's a life-saver. I did exactly what you suggested - with the code you cited removed, the plugin works properly again!

[Gary Van Cott]

This is what happens when I try to update the key:

C:\Users\Gary>gpg --edit-key 0x0C00098CFAD31F4 setpref save
gpg (GnuPG) 2.0.30; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: key "0x0C00098CFAD31F4" not found: Invalid user ID

The key ID was what I found in Enigmail Key Management in Thunderbird.

[Bender]

try using the Name instead of the key ID for example assuming your keys name is Gary gpg --edit-key Gary then hit enter and see if it's displaying the right key. Then you can add the second command setpref then hit enter and press Y then add the save command.
Hopfully that will work for ya

[Gary Van Cott]

These steps appear to have worked. I have sent the updated key to the person who manages my server and I hope he will be able to load it.

[Patrick Brunschwig]

I updated the top post and added instructions how to decrypt or re-encrypt messages with Enigmail 2.0.6.

[Some User]

Hi Patrick.

Thanks for trying to make users really use secure options instead of unsecure ones. But in my own experience, this new and surprising behaviour of enigmail has totally killed encrypted communication for me and a bunch of users whom I just so had brought to start using encyrypted e-mails in the last few months - all operating with whatever standard settings there were in enigmail or gpg when they started using it.

Moreover, it has killed my access to all my encrypted messages sent over the last maybe 10 or whatever years.

In all of these people, there's maybe 1 person besides me who could manually decrypt and re-encrypt old messages - but I'm neither willing to tamper with these (I definitely want and need my local e-mail archives unchanged, be it only to be able to compare it to backups), nor do I have the time, nor do I want to update the settings for all the (other users') computers in the game.

So I think that while you may make users from tomorrow on use safer settings - you've created a very bad usability experience for users that have been using it for some time or just would have been interested in doing so regularly - but now, they only see: "encrypted e-mail does not work any more".

That's like pushing back the progress of convincing people to use encrypted e-Mail by several years.

So I would be grateful if you could simply turn this into a warning with an override button - which would be totally acceptable - instead of into a show stopper.

And - I'd rather be able to read my encrypted mail and have html mail support or any auto-execution or auto-display of any inline stuff disabled completely, than being plainly unable to read an old message at all (or only with cmdline actions).

I'll try to get an old version of enigmail back now (N.B.: did so, 2.0.3 works) and maybe in half a year I'll have time to do some more research to understand the problem - but certainly not now, and certainly not for maybe 10+ users/computers etc.

I still appreciate that it's possible to use encrypted e-mail relatively conveniently - so thank you for your efforts, and I hope that an occasional not-perfectly-happy feedback doesn't put you off your way :-).

Thanks again & Kind regards, Joerg

[Rob]

unsecure ones - but in my own experience, this new and surprising
behaviour of enigmail has totally killed off encrypted communication for
me, all my family, and a bunch of users whom I just so had brought to
start using encyrypted e-mails in the last few months - all operating

Then we encourage you to use something else. The time for holding all
users hostage to the backwards compatibility desires of a few is long,
long past.

That's like pushing back the progress of encrypted e-Mail use by some 10
years or so.

So, from "an insignificant fraction of all email users" to "an
insignificant fraction of all email users"?

There is a great power in having very small market adoption. It means
we can change things without setting ourselves back all that far. :)
This needs to be changed: it's been changed.

[robisimus]

Hi Patrick,

I have a question about Option 2 to decrypt old messages with MDC integrity error.

I updated my my key preferences and then followed all the steps from Option 2. I did not decrypt the messages using the command-line nor created a copy via Option 1 beforehand.
Everything worked nicely, the MDC error is gone and I can read the message without a glitch.

What I don't understand is the note under Option 2.
There was no need for decrypting the message prior to re-encrypting.

Regards,
Robert

My System:
Thunderbird 52.8.0
Enigmail 2.0.6.1
GnuPG 2.2.7
OS: Win 7 64-bit

[Patrick Brunschwig]

Option 2 does the re-encryption (i.e. decrypt & encrypt again).