Hi Full Disclosure readers,

The symmetric-key encryption used in Tutanota is vulnerable to ciphertext
malleability (a.k.a. arbitrary bit rewriting), since they fail to
authenticate their ciphertexts. The offending code snippet (for the Android
version of their app) is here:

https://github.com/tutao/tutanota/blob/7902514b846539643586baba10f293bf8ac975fc/native/src/android/de/tutao/plugin/Crypto.java#L246-L261

I am not the first to discover this implementation/design flaw. It was
previously reported by Richard, and beforehand by Steve Weis on Twitter.

https://tutanota.uservoice.com/forums/237921-general/suggestions/7858974-tutanota-is-using-unauthenticated-aes-cbc-encrypti

Isn't this quite serious for an encrypted email service?
> https://twitter.com/sweis/status/595051847934672898
>
> We're in May... Shouldn't fixing this be a high priority before the end of
> the year?
>
Their official response was to decline the ticket with this message:

The first focus of Tutanota is on encryption, but authentication will also
> be added. Authentication will not be achieved by MACing the messages like
> proposed because the session keys are one-time keys. Digital signatures
> need to be used. We have created this request to track that feature:
>

Indeed, they've confused the purpose of a MAC with the purpose of a digital
signature.

In a nutshell for non-crypto people reading this: MACs are Message
Authentication, digital signatures are "Identity" Authentication. MACs are
typically performed on symmetric encryption, digital signatures are
typically applied using asymmetric encryption. They're almost night and
day, although they (tragically) share the same word in the English language
(and possibly many others).

I opened a follow-up ticket with a link to one of our blog posts explaining
why authenticated encryption is necessary in the hopes that they would read
it, understand the mistakes they are making, and correct them.
https://paragonie.com/blog/2015/05/using-encryption-and-authentication-correctly

However, considering this has been publicly recognized by others and
declined by their development team, I feel that immediate full disclosure
is appropriate.

On that note, Paragon Initiative offers code review services if anyone
would like us to look at their pet cryptography project and verify the
correctness of their implementations. PHP, Java, .NET, Python, you name it.
Keep us in mind if you (or your employer, if applicable) needs such a
service.

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>