security fixes (KDF, MDC->MAC)?

Trevor Perrin <> Thu, 26 September 2002 19:27 UTC

Received: from ( []) by (8.9.1a/8.9.1a) with ESMTP id PAA19155 for <>; Thu, 26 Sep 2002 15:27:47 -0400 (EDT)
Received: (from majordomo@localhost) by (8.11.6/8.11.3) id g8QJIAO01218 for ietf-openpgp-bks; Thu, 26 Sep 2002 12:18:10 -0700 (PDT)
Received: from ( []) by (8.11.6/8.11.3) with SMTP id g8QJI8v01212 for <>; Thu, 26 Sep 2002 12:18:08 -0700 (PDT)
Received: from ( by (Sigaba Gateway v3.5) with SMTP; Thu, 26 Sep 2002 12:11:13 -0700
Received: from ( []) by (8.12.2/8.12.2) with ESMTP id g8QJI6E3032303 for <>; Thu, 26 Sep 2002 12:18:06 -0700
Received: by with Internet Mail Service (5.5.2653.19) id <TM7RD9BB>; Thu, 26 Sep 2002 12:18:05 -0700
Message-id: <>
From: Trevor Perrin <>
To: "''" <>
Subject: security fixes (KDF, MDC->MAC)?
Date: Thu, 26 Sep 2002 12:18:01 -0700
MIME-Version: 1.0
X-mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>
Content-Transfer-Encoding: 7bit

Hello OpenPGP,

Is there interest in fixing the security flaws discussed in the recent
"security analysis" thread? -

(1) the Integrity Protected Data and MDC Packets fail to stop Schneier et
al's attack, because the ciphertext blocks can be pasted into a
non-integrity protected packet (ie ciphertext from a tag 18 packet can be
placed in a tag 9 packet, evading the MDC).

(2) Once an attack like above recovered the prefix data, forgeries are

One fix (due to John Kane) would be a version 2 of the integrity-protected
packet (tag 18).  This new version would use a key derivation function (KDF)
to derive separate encryption and authentication keys.  The authentication
key would be used by a new MAC packet (say tag 20), which would be just like
the MDC packet but use HMAC-SHA1 instead of SHA1.

Version = Integrity Protected Data Packet Version Number (2)
EncKey  = KDF(SessionKey, Version, 0)
AuthKey = KDF(SessionKey, Version, 1)

Since the encryption key is now the result of a version-dependent KDF,
downgrade attacks like (1) are prevented.

Since the MAC depends on the AuthKey which an attacker doesn't know,
forgeries (2) are prevented.

So what do people think?  Is a fix like this worth it?