RE: [Cfrg] OpenPGP security analysis
Trevor Perrin <Tperrin@sigaba.com> Tue, 17 September 2002 19:10 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA26564 for <cfrg-archive@odin.ietf.org>; Tue, 17 Sep 2002 15:10:42 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id g8HJC2s02525 for cfrg-archive@odin.ietf.org; Tue, 17 Sep 2002 15:12:02 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8HJC2v02522 for <cfrg-web-archive@optimus.ietf.org>; Tue, 17 Sep 2002 15:12:02 -0400
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA26558 for <cfrg-web-archive@ietf.org>; Tue, 17 Sep 2002 15:10:12 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8HJALv02435; Tue, 17 Sep 2002 15:10:21 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8HJ9Rv02384 for <cfrg@optimus.ietf.org>; Tue, 17 Sep 2002 15:09:27 -0400
Received: from bulwinkle.sigaba.com (bulwinkle.sigaba.com [67.113.238.132]) by ietf.org (8.9.1a/8.9.1a) with SMTP id PAA26400 for <cfrg@ietf.org>; Tue, 17 Sep 2002 15:07:36 -0400 (EDT)
Received: from bsd.sigaba.com (67.113.238.131) by bulwinkle.sigaba.com (Sigaba Gateway v3.5) with SMTP; Tue, 17 Sep 2002 12:01:52 -0700
Received: from exchange1.sigaba.com (exchange1.sigaba.com [10.10.10.10]) by bsd.sigaba.com (8.12.2/8.12.2) with ESMTP id g8HJ8KE3007255; Tue, 17 Sep 2002 12:08:20 -0700
Received: by exchange.sigaba.com with Internet Mail Service (5.5.2653.19) id <TA7Z6D1Z>; Tue, 17 Sep 2002 12:08:16 -0700
Message-id: <2129B7848043D411881A00B0D0627EFEBFB18B@exchange.sigaba.com>
From: Trevor Perrin <Tperrin@sigaba.com>
To: Trevor Perrin <Tperrin@sigaba.com>, 'Michael Young' <mwy-opgp97@the-youngs.org>, 'David Wagner' <daw@cs.berkeley.edu>, "'ietf-openpgp@imc.org'" <ietf-openpgp@imc.org>, "'cfrg@ietf.org'" <cfrg@ietf.org>
Subject: RE: [Cfrg] OpenPGP security analysis
Date: Tue, 17 Sep 2002 12:08:15 -0700
MIME-Version: 1.0
X-mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: cfrg-admin@ietf.org
Errors-To: cfrg-admin@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Another attack, based on the fact that the last block containing part of the hash is subject to bit-flipping, as David Wagner points out: Suppose a 16-byte block size is being used, so the last 16 bytes of the SHA1 hash are subject to modification. This means the attacker can make targeted changes to the ciphertext, and if he is able to predict what effect these changes have on the corresponding plaintext, then he can compute what the new SHA1 hash should be. If this new hash collides with the old hash in the first 4 bytes, then he can bit-flip the last 16 bytes of the SHA1 hash to match. So the attacker can experimentally try around 2^31 ciphertext modifications, and odds are one of them will collide with the unmodifiable 4 bytes of the hash, and he'll be able to make a forgery. With CFB (which PGP uses) and known plaintext, the attacker can make computable alterations in the plaintext by changing the ciphertext. Px (the xth plaintext block) Px+1 (the x+1th plaintext block) Py (the yth plaintext block) . .. He can change the ciphertext with predictable results on the plaintext by setting Cy=Cx. Then he can compute: Py = (Py xor Cy) xor Cx Py+1 = (Px+1 xor Cx+1) xor Cy+1 Note that the attacker can't control Py or Py+1 with precision, because if he did targeted bit-flipping on the ciphertext he wouldn't know what that block was encrypted as. So this would mostly be useful for overwiting a particular section of incriminating evidence with random data, or somesuch. There may other ways of making predictable modifications of the plaintext, which can also take advantage of the fact that you only need to find a collision on 4 bytes of the hash, then can bit-flip the rest. Trevor _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] OpenPGP security analysis David Wagner
- RE: [Cfrg] OpenPGP security analysis Trevor Perrin
- RE: [Cfrg] OpenPGP security analysis Trevor Perrin
- RE: [Cfrg] OpenPGP security analysis Trevor Perrin
- RE: [Cfrg] OpenPGP security analysis Trevor Perrin
- Re: [Cfrg] OpenPGP security analysis Michael Young
- RE: [Cfrg] OpenPGP security analysis Trevor Perrin
- RE: [Cfrg] OpenPGP security analysis Trevor Perrin
- Re: [Cfrg] OpenPGP security analysis Jon Callas
- Re: [Cfrg] OpenPGP security analysis Jon Callas
- RE: [Cfrg] OpenPGP security analysis Hal Finney
- RE: [Cfrg] OpenPGP security analysis Trevor Perrin