Re: Is there any published analysis of OpenPGP's MDC?

Adam Back <adam@cypherspace.org> Tue, 12 December 2006 13:31 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gu7jR-0006As-4Y for openpgp-archive@lists.ietf.org; Tue, 12 Dec 2006 08:31:41 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gu7hs-000188-6I for openpgp-archive@lists.ietf.org; Tue, 12 Dec 2006 08:30:06 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kBCD3Bbh083848; Tue, 12 Dec 2006 06:03:11 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kBCD3BpU083847; Tue, 12 Dec 2006 06:03:11 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mail.off.net (off.net [66.96.28.3]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kBCD3Au5083837 for <ietf-openpgp@imc.org>; Tue, 12 Dec 2006 06:03:10 -0700 (MST) (envelope-from adam@mail.off.net)
Received: by mail.off.net (Postfix, from userid 948) id 2B46F770350; Tue, 12 Dec 2006 08:02:59 -0500 (EST)
Received: by bitchcake.off.net (hashcash-sendmail, from uid 948); Tue, 12 Dec 2006 08:02:54 -0500
Date: Tue, 12 Dec 2006 08:02:54 -0500
From: Adam Back <adam@cypherspace.org>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: ietf-openpgp@imc.org, Adam Back <adam@cypherspace.org>
Subject: Re: Is there any published analysis of OpenPGP's MDC?
Message-ID: <20061212130254.GA1767@bitchcake.off.net>
References: <E1GtbXV-0007ZD-00@medusa01.cs.auckland.ac.nz>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <E1GtbXV-0007ZD-00@medusa01.cs.auckland.ac.nz>
User-Agent: Mutt/1.4.2.1i
X-Hashcash: 1:20:061212:pgut001@cs.auckland.ac.nz::TGCvv1ikZcDi9tJi:Y9
X-Hashcash: 1:20:061212:ietf-openpgp@imc.org::yDnUmYOFxUOXXvbF:CIYY
X-Hashcash: 1:20:061212:adam@cypherspace.org::OxZ9onaekwYYhERR:2KXG
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9182cfff02fae4f1b6e9349e01d62f32

I think one has to consider the attacker may know the hash, and also
given the recent issues around SHA1 be able to with some effort
compute related hashes of modified documents, tho at present with many
limtiations.

With that background, CFB and CBC encryption remain quite malleable,
and a number of surprising things have been shown to be possible
through it in attacks on other protocols.  (Part of the reason for
introducing the MDC!)

Personally I think its just more conversative to use a MAC, like
HMAC-SHA1 with a separate key.

Adam

On Mon, Dec 11, 2006 at 04:09:13PM +1300, Peter Gutmann wrote:
> 
> Subject line says it all, is there any published analysis of the
> strengths/weaknesses of OpenPGP's use of MDCs (encrypted SHA-1 hash) for
> private keys and data?  I've seen various informal arguments that it should be
> OK (and also informal ones that it may not be OK), but nothing definitive.
> 
> Peter.