RE: [Cfrg] OpenPGP security analysis

Trevor Perrin <Tperrin@sigaba.com> Tue, 17 September 2002 02:59 UTC

Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id WAA23536 for <openpgp-archive@lists.ietf.org>; Mon, 16 Sep 2002 22:59:46 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g8H2mKK16289 for ietf-openpgp-bks; Mon, 16 Sep 2002 19:48:20 -0700 (PDT)
Received: from bulwinkle.sigaba.com (bulwinkle.sigaba.com [67.113.238.132]) by above.proper.com (8.11.6/8.11.3) with SMTP id g8H2mIk16285 for <ietf-openpgp@imc.org>; Mon, 16 Sep 2002 19:48:19 -0700 (PDT)
Received: from bsd.sigaba.com (67.113.238.131) by bulwinkle.sigaba.com (Sigaba Gateway v3.5) with SMTP; Mon, 16 Sep 2002 19:41:51 -0700
Received: from exchange1.sigaba.com (exchange1.sigaba.com [10.10.10.10]) by bsd.sigaba.com (8.12.2/8.12.2) with ESMTP id g8H2mHE3012610; Mon, 16 Sep 2002 19:48:17 -0700
Received: by exchange.sigaba.com with Internet Mail Service (5.5.2653.19) id <TA7Z6CKF>; Mon, 16 Sep 2002 19:48:15 -0700
Message-id: <2129B7848043D411881A00B0D0627EFEBFB188@exchange.sigaba.com>
From: Trevor Perrin <Tperrin@sigaba.com>
To: "'David Wagner'" <daw@cs.berkeley.edu>, ietf-openpgp@imc.org, cfrg@ietf.org
Subject: RE: [Cfrg] OpenPGP security analysis
Date: Mon, 16 Sep 2002 19:48:15 -0700
MIME-Version: 1.0
X-mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit



>-----Original Message-----
>From: David Wagner [mailto:daw@cs.berkeley.edu]
>
>Unfortunately, Hash-then-Encrypt has known security weaknesses, in
>general.  For instance, there is a chosen-plaintext attack that 
>lets you truncate a ciphertext without detection.  See, e.g.,
>http://www.cs.berkeley.edu/~daw/my-posts/mdc-broken


I don't see any complications that would trip this attack up in OpenPGP's
encryption/integrity packet type.  If you try to place M anywhere else
within M' besides the beginning, however, you'd have to guess at and prepend
duplicate prefix bytes to M, and snip so as to include the block previous to
these, and the attack would only have a 2^-16 probability of success because
the guessed duplicate prefix bytes probably won't match whatever the initial
prefix bytes turn out to be.

It seems like this could be fixed by using HMAC-SHA1 instead of just SHA1,
with a key derived by some function of the encryption key, but I'm not
sure..

Trevor