security fixes (KDF, MDC->MAC)?
Trevor Perrin <Tperrin@sigaba.com> Thu, 26 September 2002 19:27 UTC
Received: from above.proper.com (mail.proper.com [220.127.116.11])
by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA19155
for <email@example.com>; Thu, 26 Sep 2002 15:27:47 -0400 (EDT)
Received: (from majordomo@localhost) by above.proper.com (8.11.6/8.11.3) id g8QJIAO01218 for ietf-openpgp-bks; Thu, 26 Sep 2002 12:18:10 -0700 (PDT)
Received: from bulwinkle.sigaba.com (bulwinkle.sigaba.com [18.104.22.168]) by above.proper.com (8.11.6/8.11.3) with SMTP id g8QJI8v01212 for <firstname.lastname@example.org>; Thu, 26 Sep 2002 12:18:08 -0700 (PDT)
Received: from bsd.sigaba.com (22.214.171.124) by bulwinkle.sigaba.com (Sigaba Gateway v3.5) with SMTP; Thu, 26 Sep 2002 12:11:13 -0700
Received: from exchange1.sigaba.com (exchange1.sigaba.com [10.10.10.10]) by bsd.sigaba.com (8.12.2/8.12.2) with ESMTP id g8QJI6E3032303 for <email@example.com>; Thu, 26 Sep 2002 12:18:06 -0700
Received: by exchange.sigaba.com with Internet Mail Service (5.5.2653.19) id <TM7RD9BB>; Thu, 26 Sep 2002 12:18:05 -0700
From: Trevor Perrin <Tperrin@sigaba.com>
To: "'firstname.lastname@example.org'" <email@example.com>
Subject: security fixes (KDF, MDC->MAC)?
Date: Thu, 26 Sep 2002 12:18:01 -0700
X-mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Hello OpenPGP, Is there interest in fixing the security flaws discussed in the recent "security analysis" thread? - (1) the Integrity Protected Data and MDC Packets fail to stop Schneier et al's attack, because the ciphertext blocks can be pasted into a non-integrity protected packet (ie ciphertext from a tag 18 packet can be placed in a tag 9 packet, evading the MDC). (2) Once an attack like above recovered the prefix data, forgeries are possible: http://www.imc.org/ietf-openpgp/mail-archive/msg05804.html One fix (due to John Kane) would be a version 2 of the integrity-protected packet (tag 18). This new version would use a key derivation function (KDF) to derive separate encryption and authentication keys. The authentication key would be used by a new MAC packet (say tag 20), which would be just like the MDC packet but use HMAC-SHA1 instead of SHA1. Version = Integrity Protected Data Packet Version Number (2) EncKey = KDF(SessionKey, Version, 0) AuthKey = KDF(SessionKey, Version, 1) Since the encryption key is now the result of a version-dependent KDF, downgrade attacks like (1) are prevented. Since the MAC depends on the AuthKey which an attacker doesn't know, forgeries (2) are prevented. So what do people think? Is a fix like this worth it? Trevor