Re: Is there any published analysis of OpenPGP's MDC?

Adam Back <> Thu, 14 December 2006 17:37 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1GuuWc-0006lL-CB for; Thu, 14 Dec 2006 12:37:42 -0500
Received: from ([]) by with esmtp (Exim 4.43) id 1GuuWZ-0005GV-VV for; Thu, 14 Dec 2006 12:37:42 -0500
Received: from (localhost []) by (8.13.5/8.13.5) with ESMTP id kBEHBQig049172; Thu, 14 Dec 2006 10:11:26 -0700 (MST) (envelope-from
Received: (from majordom@localhost) by (8.13.5/8.13.5/Submit) id kBEHBQmI049171; Thu, 14 Dec 2006 10:11:26 -0700 (MST) (envelope-from
X-Authentication-Warning: majordom set sender to using -f
Received: from ( []) by (8.13.5/8.13.5) with ESMTP id kBEHBPSK049163 for <>; Thu, 14 Dec 2006 10:11:25 -0700 (MST) (envelope-from
Received: by (Postfix, from userid 948) id 3E369770464; Thu, 14 Dec 2006 12:11:16 -0500 (EST)
Received: by (hashcash-sendmail, from uid 948); Thu, 14 Dec 2006 12:11:15 -0500
Date: Thu, 14 Dec 2006 12:11:15 -0500
From: Adam Back <>
To: Peter Gutmann <>
Cc:, Adam Back <>
Subject: Re: Is there any published analysis of OpenPGP's MDC?
Message-ID: <>
References: <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/
Precedence: bulk
List-Archive: <>
List-Unsubscribe: <>
List-ID: <>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52e1467c2184c31006318542db5614d5

Other than backwards compatibility and smart card considerations, I
would either send two independent keys inside the key-exchange (if
there is space, should be at RSA 1024+ and standard padding), or derive
a pair from a master using KDF2 from p1363.

Are smart cards a concern with PGP implementations?

Is backwards compatibility a concern for this mode?  Aren't we talking
about a new mode... using CBC instead of CFB, and using a HMAC-SHA1
(or well so far SHA1) and using only AES.  I guess you're saying the
issue is there is no info in the v4 / v5 key to say "can read MDCs".

But are there sensible ways to put a tag that will be safely ignored,
but not deletable without screwing up the format?  Trying to
back-patch that onto the existing protocol in a way that old clients
will tolerate sounds like asking for security trouble in a kind of
"version rollback" attack of simply removing the MDC tag.


On Wed, Dec 13, 2006 at 04:31:57PM +1300, Peter Gutmann wrote:
> Where would you get the separate key from?  There's no easy way to get a
> separate MAC key from a PKC-encrypted conventional key.  Specifically, if
> you're using something like a smart card that only supports "unwrap RSA-
> encrypted key into 3DES object", you can't even get at the key.
> (I realise there are various kludges possible, but I'm not aware of any
> cryptographically sound way to do it.  You can't use one key for both
> encryption and MAC, deriving the MAC key from the encryption key compromises
> the MAC key if the encryption key is compromised, feeding both into a PRF
> means you lose backwards-compatibility with existing code that doesn't know
> the encryption key has to go through a PRF first, etc etc).
> Peter.