RE: [Cfrg] OpenPGP security analysis

Trevor Perrin <Tperrin@sigaba.com> Tue, 17 September 2002 02:55 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA23509 for <cfrg-archive@odin.ietf.org>; Mon, 16 Sep 2002 22:55:19 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id g8H2uhW06907 for cfrg-archive@odin.ietf.org; Mon, 16 Sep 2002 22:56:43 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8H2ugv06904 for <cfrg-web-archive@optimus.ietf.org>; Mon, 16 Sep 2002 22:56:42 -0400
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA23505 for <cfrg-web-archive@ietf.org>; Mon, 16 Sep 2002 22:54:48 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8H2p3v06742; Mon, 16 Sep 2002 22:51:04 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8H2nSv06696 for <cfrg@optimus.ietf.org>; Mon, 16 Sep 2002 22:49:28 -0400
Received: from bulwinkle.sigaba.com (bulwinkle.sigaba.com [67.113.238.132]) by ietf.org (8.9.1a/8.9.1a) with SMTP id WAA23439 for <cfrg@ietf.org>; Mon, 16 Sep 2002 22:47:33 -0400 (EDT)
Received: from bsd.sigaba.com (67.113.238.131) by bulwinkle.sigaba.com (Sigaba Gateway v3.5) with SMTP; Mon, 16 Sep 2002 19:41:51 -0700
Received: from exchange1.sigaba.com (exchange1.sigaba.com [10.10.10.10]) by bsd.sigaba.com (8.12.2/8.12.2) with ESMTP id g8H2mHE3012610; Mon, 16 Sep 2002 19:48:17 -0700
Received: by exchange.sigaba.com with Internet Mail Service (5.5.2653.19) id <TA7Z6CKF>; Mon, 16 Sep 2002 19:48:15 -0700
Message-id: <2129B7848043D411881A00B0D0627EFEBFB188@exchange.sigaba.com>
From: Trevor Perrin <Tperrin@sigaba.com>
To: "'David Wagner'" <daw@cs.berkeley.edu>, ietf-openpgp@imc.org, cfrg@ietf.org
Subject: RE: [Cfrg] OpenPGP security analysis
Date: Mon, 16 Sep 2002 19:48:15 -0700
MIME-Version: 1.0
X-mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: cfrg-admin@ietf.org
Errors-To: cfrg-admin@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit


>-----Original Message-----
>From: David Wagner [mailto:daw@cs.berkeley.edu]
>
>Unfortunately, Hash-then-Encrypt has known security weaknesses, in
>general.  For instance, there is a chosen-plaintext attack that 
>lets you truncate a ciphertext without detection.  See, e.g.,
>http://www.cs.berkeley.edu/~daw/my-posts/mdc-broken


I don't see any complications that would trip this attack up in OpenPGP's
encryption/integrity packet type.  If you try to place M anywhere else
within M' besides the beginning, however, you'd have to guess at and prepend
duplicate prefix bytes to M, and snip so as to include the block previous to
these, and the attack would only have a 2^-16 probability of success because
the guessed duplicate prefix bytes probably won't match whatever the initial
prefix bytes turn out to be.

It seems like this could be fixed by using HMAC-SHA1 instead of just SHA1,
with a key derived by some function of the encryption key, but I'm not
sure..

Trevor
_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg