RE: [Cfrg] OpenPGP security analysis

Trevor Perrin <Tperrin@sigaba.com> Tue, 17 September 2002 17:26 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA22617 for <cfrg-archive@odin.ietf.org>; Tue, 17 Sep 2002 13:26:50 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id g8HHSBH28467 for cfrg-archive@odin.ietf.org; Tue, 17 Sep 2002 13:28:11 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8HHSBv28464 for <cfrg-web-archive@optimus.ietf.org>; Tue, 17 Sep 2002 13:28:11 -0400
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA22613 for <cfrg-web-archive@ietf.org>; Tue, 17 Sep 2002 13:26:20 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8HHQ9v28370; Tue, 17 Sep 2002 13:26:09 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8HHPnv28341 for <cfrg@optimus.ietf.org>; Tue, 17 Sep 2002 13:25:49 -0400
Received: from bulwinkle.sigaba.com (bulwinkle.sigaba.com [67.113.238.132]) by ietf.org (8.9.1a/8.9.1a) with SMTP id NAA22532 for <cfrg@ietf.org>; Tue, 17 Sep 2002 13:23:57 -0400 (EDT)
Received: from bsd.sigaba.com (67.113.238.131) by bulwinkle.sigaba.com (Sigaba Gateway v3.5) with SMTP; Tue, 17 Sep 2002 10:18:16 -0700
Received: from exchange1.sigaba.com (exchange1.sigaba.com [10.10.10.10]) by bsd.sigaba.com (8.12.2/8.12.2) with ESMTP id g8HHOhE3004191; Tue, 17 Sep 2002 10:24:43 -0700
Received: by exchange.sigaba.com with Internet Mail Service (5.5.2653.19) id <TA7Z6C78>; Tue, 17 Sep 2002 10:24:40 -0700
Message-id: <2129B7848043D411881A00B0D0627EFEBFB18A@exchange.sigaba.com>
From: Trevor Perrin <Tperrin@sigaba.com>
To: "'Michael Young'" <mwy-opgp97@the-youngs.org>, Trevor Perrin <Tperrin@sigaba.com>, "'David Wagner'" <daw@cs.berkeley.edu>, ietf-openpgp@imc.org, cfrg@ietf.org
Subject: RE: [Cfrg] OpenPGP security analysis
Date: Tue, 17 Sep 2002 10:24:39 -0700
MIME-Version: 1.0
X-mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: cfrg-admin@ietf.org
Errors-To: cfrg-admin@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit

>From: Michael Young [mailto:mwy-opgp97@the-youngs.org]
>
>But if this is the scenario, then two facts complicate the attack:
>    M and M' must be formatted as OpenPGP packets; and,

you're right, this does complicate the attack - it means that in the simple
truncation attack (where the evil message ciphertext is just a truncation of
the innocuous message ciphertext) the decrypted literal packet data length
will be wrong.

Unless there's a way to get around that, the only attack I see, then,
requires the attacker to inject make-believe check bytes and OpenPGP packet
formatting, and thus will succeed with probability only 2^-16 cause the
check bytes will probably turn out wrong. 

Trevor
_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg