RE: security fixes (KDF, MDC->MAC)?
Trevor Perrin <Tperrin@sigaba.com> Fri, 27 September 2002 19:28 UTC
Received: from above.proper.com (mail.proper.com [184.108.40.206])
by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA07465
for <firstname.lastname@example.org>; Fri, 27 Sep 2002 15:28:38 -0400 (EDT)
Received: (from majordomo@localhost) by above.proper.com (8.11.6/8.11.3) id g8RJNKm25723 for ietf-openpgp-bks; Fri, 27 Sep 2002 12:23:20 -0700 (PDT)
Received: from bulwinkle.sigaba.com (bulwinkle.sigaba.com [220.127.116.11]) by above.proper.com (8.11.6/8.11.3) with SMTP id g8RJNJv25717 for <email@example.com>; Fri, 27 Sep 2002 12:23:19 -0700 (PDT)
Received: from bsd.sigaba.com (18.104.22.168) by bulwinkle.sigaba.com (Sigaba Gateway v3.5) with SMTP; Fri, 27 Sep 2002 12:16:20 -0700
Received: from exchange1.sigaba.com (exchange1.sigaba.com [10.10.10.10]) by bsd.sigaba.com (8.12.2/8.12.2) with ESMTP id g8RJNGE3008148; Fri, 27 Sep 2002 12:23:16 -0700
Received: by exchange.sigaba.com with Internet Mail Service (5.5.2653.19) id <TM7RD0SB>; Fri, 27 Sep 2002 12:23:15 -0700
From: Trevor Perrin <Tperrin@sigaba.com>
To: Trevor Perrin <Tperrin@sigaba.com>, "'firstname.lastname@example.org'" <email@example.com>, "'firstname.lastname@example.org'" <email@example.com>
Subject: RE: security fixes (KDF, MDC->MAC)?
Date: Fri, 27 Sep 2002 12:23:04 -0700
X-mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Fixed a typo- >-----Original Message----- >From: firstname.lastname@example.org [mailto:email@example.com] > >5.13. >[...] Unlike the Symmetrically Encrypted Data Packet, no > special CFB resynchronization is done after encrypting this prefix > data. > >doesn't this prevent converting packet 18 to 9 ? > It doesn't completely prevent the JKS attack. The attacker can still copy the first two blocks of ciphertext from a packet 18 to 9, and the check bytes will decrypt appropriately, but the remainder of the second block will be scrambled. So this will probably leave a malformed packet header, but there's a chance the header might still work, depending on how strict the parsing code is (for example, what if the packet tag gets randomly set to 11 for Literal Data, but the length is wrong?). The attacker can flip bits in the remainder of the second block and keep submitting guesses to a decryption oracle, until he stumbles on a packet header that makes the attack work. The attacker may also learn information from observing the oracle which lets him reconstruct the keystream bytes that the ciphertext is being XOR'd with. For example, if the oracle says "Error: packet tag 62 not supported", the attacker can reconstruct the keystream bits that correspond to the packet tag, and thus gain the ability to control its value. Trevor