Re: Anybody know details about Schneier's "flaw"?
Adam Back <adam@cypherspace.org> Fri, 16 August 2002 02:23 UTC
Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA23535 for <openpgp-archive@odin.ietf.org>; Thu, 15 Aug 2002 22:23:46 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g7G2DgK09582 for ietf-openpgp-bks; Thu, 15 Aug 2002 19:13:42 -0700 (PDT)
Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g7G2Dew09576 for <ietf-openpgp@imc.org>; Thu, 15 Aug 2002 19:13:42 -0700 (PDT)
Received: from cronus ([144.173.6.20] helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 3.33 #1) id 17fWcQ-002R4M-00; Fri, 16 Aug 2002 03:13:42 +0100
Date: Fri, 16 Aug 2002 03:13:42 +0100
From: Adam Back <adam@cypherspace.org>
To: Rodney Thayer <rodney@tillerman.to>
Cc: Derek Atkins <derek@ihtfp.com>, ietf-openpgp@imc.org
Subject: Re: Anybody know details about Schneier's "flaw"?
Message-ID: <20020816031342.A599725@exeter.ac.uk>
References: <5.1.1.6.2.20020814093305.01451338@127.0.0.1> <OF94CAB39F.FCF0A0BA-ON86256C15.00507ACA@kodak.com> <OF94CAB39F.FCF0A0BA-ON86256C15.00507ACA@kodak.com> <5.1.1.6.2.20020814093305.01451338@127.0.0.1> <sjm1y91wfh7.fsf@kikki.mit.edu> <5.1.1.6.2.20020815174759.02572e28@127.0.0.1>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.2.2i
In-Reply-To: <5.1.1.6.2.20020815174759.02572e28@127.0.0.1>; from rodney@tillerman.to on Thu, Aug 15, 2002 at 05:49:00PM -0700
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
I agree. Increasing use of MDC is a better more direct solution. (It's also a more robust solution -- how long until someone manages to propogate the attack through compression -- it's not as if compression were designed to prevent it.) Also the attack for those who haven't read the paper is really low-tech. They're just observing that if you can ask someone to decrypt a message you can use that to decrypt related messages. So you intentionally garble a message, and hope the user sends you the garbled plaintext back to you to ask what went wrong. The rest falls out of the fact that if you garble a few bits of a ciphertext most of the plaintext will still be intact. So it's related to the earlier observation that unless a message is signed you can undetectably (to PGP) garble it's contents. This also was hard to do if the message was compressed. This was the motivation for the MDC. Adam On Thu, Aug 15, 2002 at 05:49:00PM -0700, Rodney Thayer wrote: > > my point was, requiring implementors to do compression sucks, > in my opinion. this attack is insufficient justification. > > the attack is a social engineering attack. forcing implementors > to add onerous code to defend against it is not a good idea. > > At 12:51 PM 8/14/2002 -0400, Derek Atkins wrote: > > >Rodney Thayer <rodney@tillerman.to> writes: > > > > > I think it's got too many odd things in it to require compression. > > > >Indeed.. As I said (perhaps incoherently), the attack only works if > >you DO NOT compress. If you compress the message then there is no way > >to XOR against the message. >
- Anybody know details about Schneier's "flaw"? john.dlugosz
- Re: Anybody know details about Schneier's "flaw"? Derek Atkins
- Re: Anybody know details about Schneier's "flaw"? Rodney Thayer
- Re: Anybody know details about Schneier's "flaw"? Derek Atkins
- Re: Anybody know details about Schneier's "flaw"? Marc Mutz
- Re: Anybody know details about Schneier's "flaw"? john.dlugosz
- Re: Anybody know details about Schneier's "flaw"? Jon Callas
- Re: Anybody know details about Schneier's "flaw"? Lutz Donnerhacke
- Re: Anybody know details about Schneier's "flaw"? Rodney Thayer
- Re: Anybody know details about Schneier's "flaw"? Adam Back
- Re: Anybody know details about Schneier's "flaw"? Carl Ellison
- Re: Anybody know details about Schneier's "flaw"? Dominikus Scherkl
- Re: Anybody know details about Schneier's "flaw"? Peter Gutmann
- Re: Anybody know details about Schneier's "flaw"? Adrian 'Dagurashibanipal' von Bidder
- Re: Anybody know details about Schneier's "flaw"? Werner Koch
- Re: Anybody know details about Schneier's "flaw"? Adrian 'Dagurashibanipal' von Bidder
- Re: Anybody know details about Schneier's "flaw"? David Hopwood
- Re: Anybody know details about Schneier's "flaw"? Peter Gutmann