Re: [openpgp] encrypted packets' quick integrity check
Jonas Magazinius <jonas.magazinius@assured.se> Mon, 14 March 2016 14:37 UTC
Return-Path: <jonas.magazinius@assured.se>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35FE112DB37 for <openpgp@ietfa.amsl.com>; Mon, 14 Mar 2016 07:37:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pIN7PG6DTg0y for <openpgp@ietfa.amsl.com>; Mon, 14 Mar 2016 07:37:27 -0700 (PDT)
Received: from smtp1-2.ilait.se (smtp1-2.ilait.se [82.99.18.59]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E6B412DB29 for <openpgp@ietf.org>; Mon, 14 Mar 2016 07:34:40 -0700 (PDT)
Received: from ex-hub1-2.cloud.local (ex-hub1-2.ilait.se [62.109.34.15]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp1-2.ilait.se (Postfix) with ESMTPS id EF8AF2405A8; Mon, 14 Mar 2016 14:34:37 +0000 (UTC)
Received: from EX-MBX1-15.cloud.local ([fe80::e5af:a0a6:6a57:74b2]) by ex-hub1-2.cloud.local ([fe80::1d72:4618:a665:d303%13]) with mapi id 14.03.0174.001; Mon, 14 Mar 2016 15:34:37 +0100
From: Jonas Magazinius <jonas.magazinius@assured.se>
To: "Neal H. Walfield" <neal@walfield.org>, "openpgp@ietf.org" <openpgp@ietf.org>
Thread-Topic: [openpgp] encrypted packets' quick integrity check
Thread-Index: AQHReTn/sHbXA21ol0S1eOx6Ad/VuJ9Y++Nf
Date: Mon, 14 Mar 2016 14:34:37 +0000
Message-ID: <4839758C632DAB46B985EF1ACCAE6A6CF4849F@ex-mbx1-15.cloud.local>
References: <87oaap86wr.wl-neal@walfield.org>
In-Reply-To: <87oaap86wr.wl-neal@walfield.org>
Accept-Language: en-GB, sv-SE, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.46.17.34]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/-31CWXPWIgX37enzR9MHVHpCbBo>
Subject: Re: [openpgp] encrypted packets' quick integrity check
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2016 14:37:33 -0000
Hi, > The attack relies on finding the correct values for the quick > integrity check using an exhaustive search. This can be defeated by > making an exhaustive search unfeasible. Concretely, instead of just > copying the last two bytes of the random IV, we replicate the whole > IV. This should be easy to do for SEIPD packets, since we have a > version field. Alternatively, we could store the hash of the session > key, as Mister and Zuccherato suggest in Section 5.2 of their paper. If you reuse the entire IV the check itself will be very easy to bypass, just prepend the ciphertext with two blocks of zeroes. Then in order for the rest of the ciphertext to make sense, you need to find a block that, when decrypted, resembles a dummy packet of appropriate size to line up with the rest of the packets. You can do that by adding another block between the zeroes and the original cipher text and bruteforce the first few bytes of it. If you want to go in that direction, you can use the second half of the IV, or the IV in reverse. That should fix the issue. Regards, Jonas
- [openpgp] encrypted packets' quick integrity check Neal H. Walfield
- Re: [openpgp] encrypted packets' quick integrity … Tom Ritter
- Re: [openpgp] encrypted packets' quick integrity … Jonas Magazinius