Re: Anybody know details about Schneier's "flaw"?

Adam Back <adam@cypherspace.org> Fri, 16 August 2002 02:23 UTC

Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA23535 for <openpgp-archive@odin.ietf.org>; Thu, 15 Aug 2002 22:23:46 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g7G2DgK09582 for ietf-openpgp-bks; Thu, 15 Aug 2002 19:13:42 -0700 (PDT)
Received: from mercury.ex.ac.uk (mercury.ex.ac.uk [144.173.6.26]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g7G2Dew09576 for <ietf-openpgp@imc.org>; Thu, 15 Aug 2002 19:13:42 -0700 (PDT)
Received: from cronus ([144.173.6.20] helo=cronus.ex.ac.uk) by mercury.ex.ac.uk with esmtp (Exim 3.33 #1) id 17fWcQ-002R4M-00; Fri, 16 Aug 2002 03:13:42 +0100
Date: Fri, 16 Aug 2002 03:13:42 +0100
From: Adam Back <adam@cypherspace.org>
To: Rodney Thayer <rodney@tillerman.to>
Cc: Derek Atkins <derek@ihtfp.com>, ietf-openpgp@imc.org
Subject: Re: Anybody know details about Schneier's "flaw"?
Message-ID: <20020816031342.A599725@exeter.ac.uk>
References: <5.1.1.6.2.20020814093305.01451338@127.0.0.1> <OF94CAB39F.FCF0A0BA-ON86256C15.00507ACA@kodak.com> <OF94CAB39F.FCF0A0BA-ON86256C15.00507ACA@kodak.com> <5.1.1.6.2.20020814093305.01451338@127.0.0.1> <sjm1y91wfh7.fsf@kikki.mit.edu> <5.1.1.6.2.20020815174759.02572e28@127.0.0.1>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.2i
In-Reply-To: <5.1.1.6.2.20020815174759.02572e28@127.0.0.1>; from rodney@tillerman.to on Thu, Aug 15, 2002 at 05:49:00PM -0700
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

I agree.  Increasing use of MDC is a better more direct
solution. (It's also a more robust solution -- how long until someone
manages to propogate the attack through compression -- it's not as if
compression were designed to prevent it.)

Also the attack for those who haven't read the paper is really
low-tech.  They're just observing that if you can ask someone to
decrypt a message you can use that to decrypt related messages.  So
you intentionally garble a message, and hope the user sends you the
garbled plaintext back to you to ask what went wrong.  The rest falls
out of the fact that if you garble a few bits of a ciphertext most of
the plaintext will still be intact.

So it's related to the earlier observation that unless a message is
signed you can undetectably (to PGP) garble it's contents.  This also
was hard to do if the message was compressed.  This was the motivation
for the MDC.

Adam

On Thu, Aug 15, 2002 at 05:49:00PM -0700, Rodney Thayer wrote:
> 
> my point was, requiring implementors to do compression sucks,
> in my opinion.  this attack is insufficient justification.
> 
> the attack is a social engineering attack.  forcing implementors
> to add onerous code to defend against it is not a good idea.
> 
> At 12:51 PM 8/14/2002 -0400, Derek Atkins wrote:
> 
> >Rodney Thayer <rodney@tillerman.to> writes:
> >
> > > I think it's got too many odd things in it to require compression.
> >
> >Indeed.. As I said (perhaps incoherently), the attack only works if
> >you DO NOT compress.  If you compress the message then there is no way
> >to XOR against the message.
>