RE: [Cfrg] OpenPGP security analysis

Trevor Perrin <> Tue, 17 September 2002 02:59 UTC

Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id WAA23536 for <>; Mon, 16 Sep 2002 22:59:46 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by (8.11.6/8.11.3) id g8H2mKK16289 for ietf-openpgp-bks; Mon, 16 Sep 2002 19:48:20 -0700 (PDT)
Received: from ( []) by (8.11.6/8.11.3) with SMTP id g8H2mIk16285 for <>; Mon, 16 Sep 2002 19:48:19 -0700 (PDT)
Received: from ( by (Sigaba Gateway v3.5) with SMTP; Mon, 16 Sep 2002 19:41:51 -0700
Received: from ( []) by (8.12.2/8.12.2) with ESMTP id g8H2mHE3012610; Mon, 16 Sep 2002 19:48:17 -0700
Received: by with Internet Mail Service (5.5.2653.19) id <TA7Z6CKF>; Mon, 16 Sep 2002 19:48:15 -0700
Message-id: <>
From: Trevor Perrin <>
To: 'David Wagner' <>,,
Subject: RE: [Cfrg] OpenPGP security analysis
Date: Mon, 16 Sep 2002 19:48:15 -0700
MIME-Version: 1.0
X-mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>
Content-Transfer-Encoding: 7bit

>-----Original Message-----
>From: David Wagner []
>Unfortunately, Hash-then-Encrypt has known security weaknesses, in
>general.  For instance, there is a chosen-plaintext attack that 
>lets you truncate a ciphertext without detection.  See, e.g.,

I don't see any complications that would trip this attack up in OpenPGP's
encryption/integrity packet type.  If you try to place M anywhere else
within M' besides the beginning, however, you'd have to guess at and prepend
duplicate prefix bytes to M, and snip so as to include the block previous to
these, and the attack would only have a 2^-16 probability of success because
the guessed duplicate prefix bytes probably won't match whatever the initial
prefix bytes turn out to be.

It seems like this could be fixed by using HMAC-SHA1 instead of just SHA1,
with a key derived by some function of the encryption key, but I'm not