RE: [Cfrg] OpenPGP security analysis

Trevor Perrin <> Tue, 17 September 2002 17:01 UTC

Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id NAA21797 for <>; Tue, 17 Sep 2002 13:01:12 -0400 (EDT)
Received: from localhost (localhost [[UNIX: localhost]]) by (8.11.6/8.11.3) id g8HGoAs25330 for ietf-openpgp-bks; Tue, 17 Sep 2002 09:50:10 -0700 (PDT)
Received: from ( []) by (8.11.6/8.11.3) with SMTP id g8HGo3k25322 for <>; Tue, 17 Sep 2002 09:50:03 -0700 (PDT)
Received: from ( by (Sigaba Gateway v3.5) with SMTP; Tue, 17 Sep 2002 09:43:33 -0700
Received: from ( []) by (8.12.2/8.12.2) with ESMTP id g8HGo0E3003118; Tue, 17 Sep 2002 09:50:00 -0700
Received: by with Internet Mail Service (5.5.2653.19) id <TA7Z6CZH>; Tue, 17 Sep 2002 09:49:56 -0700
Message-id: <>
From: Trevor Perrin <>
To: 'Michael Young' <>, Trevor Perrin <>, 'David Wagner' <>,,
Subject: RE: [Cfrg] OpenPGP security analysis
Date: Tue, 17 Sep 2002 09:49:55 -0700
MIME-Version: 1.0
X-mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>
Content-Transfer-Encoding: 7bit

>From: Michael Young []
>Assuming the usual PGP public key model, the attacker doesn't need the
>sender to participate in this plan.  In this scenario, the attacker
>can alter message traffic from sender to receiver, so he could simply
>replace a message with is own well-formed PGP message.  
>Nothing new here.

Good point.  If the message is being secured with a passphrase instead of
the recipient's public key, however (which OpenPGP supports), the attack is
more serious, since the attacker would not normally be able to forge
passphrase-encrypted messages.

>This assumes that the receiver's public key is really public.
>If it's not, but you can convince the sender to encrypt arbitrary
>messages to it, then it's not really very private anyway.

The messages might not be totally arbitrary.  You might send a seemingly
innocuous (Word or PDF or XML or JPEG or whatever) document to Alice, and
say "forward this to Bob".  Alice reads the document and it looks fine, but
in some hidden field you've squirrelled away a more insidious message which
you plan on cutting out and using later.

>But if this is the scenario, then two facts complicate the attack:
>    M and M' must be formatted as OpenPGP packets; and,
>    the OpenPGP OFB scheme includes two redundant check bytes.

I believe the redundant check bytes reduce the probability of this attack
succeeding to 2^-16 when the insidious message is not located at the
beginning of the innocuous-looking message.  The attacker would have to cut
out the ciphertext block previous to where he spliced in his evil message,
and claim this is the ciphertext of the prefix block.  When the legitimate
recipient decrypts this first block, using CFB with an IV of 0, it will
produce bytes that are random from the attacker's perspective, and thus the
attacker won't have been able to anticipate and set the check bytes
appropriately.  If the attacker tries to modify the check bytes by bit
flipping the ciphertext and then submitting multiple tries to the recipient
until they match the prefix bytes, these modifications will be fed into CFB
and will destroy the next block of plaintext, thus invalidating the MDC
(even though the check bytes themselves aren't part of the MDC).

If the attacker places the evil message bytes at the very beginning of the
innocuous-looking message, then this caveat doesn't apply cause the sender
will set the check bytes appropriately, and the attacker just needs to

>(I'll explain in more detail in a separate note when I get time.)
>The MDC in OpenPGP is really no more than a checksum, intended to
>detect accidental damage.  (In fact, during the discussion, I believe
>that some folks suggested that it be just a checksum.)  Before the
>MDC, there was little ability to detect *any* sort of accident -- not
>just truncation, but fairly arbitrary internal damage as well.  (When
>the payload is a compressed packet, the decompression might discover
>damage, but then again, it might not.)  There was discussion of a
>stronger MAC, but I think this was dropped given that OpenPGP has a
>strong signature mechanism.

The security note at the bottom of page 65 in the current draft indicates
that this MDC is a security feature, and is intended to provide message

It stills seems like switching from SHA1 to HMAC-SHA1 would yield the
desired level of security, possibly using a key derivation function on the
session key to generate seemingly-independent encryption and authentication
keys, though I'm not sure if that's necessary.