Re: Is there any published analysis of OpenPGP's MDC?

pgut001@cs.auckland.ac.nz (Peter Gutmann) Wed, 13 December 2006 03:52 UTC

Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GuLAG-0007Cu-2K for openpgp-archive@lists.ietf.org; Tue, 12 Dec 2006 22:52:16 -0500
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GuLAE-0007tW-Ex for openpgp-archive@lists.ietf.org; Tue, 12 Dec 2006 22:52:16 -0500
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kBD3W7JJ080473; Tue, 12 Dec 2006 20:32:07 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id kBD3W7tn080472; Tue, 12 Dec 2006 20:32:07 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from zeppo.itss.auckland.ac.nz (zeppo.itss.auckland.ac.nz [130.216.190.14]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id kBD3W5ci080453 for <ietf-openpgp@imc.org>; Tue, 12 Dec 2006 20:32:06 -0700 (MST) (envelope-from pgut001@cs.auckland.ac.nz)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zeppo.itss.auckland.ac.nz (Postfix) with ESMTP id 2B86D346DC; Wed, 13 Dec 2006 16:31:59 +1300 (NZDT)
Received: from zeppo.itss.auckland.ac.nz ([127.0.0.1]) by localhost (smtpd.itss.auckland.ac.nz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 05108-21; Wed, 13 Dec 2006 16:31:59 +1300 (NZDT)
Received: from iris.cs.auckland.ac.nz (iris.cs.auckland.ac.nz [130.216.33.152]) by zeppo.itss.auckland.ac.nz (Postfix) with ESMTP id C3D223453B; Wed, 13 Dec 2006 16:31:55 +1300 (NZDT)
Received: from medusa01.cs.auckland.ac.nz (medusa01.cs.auckland.ac.nz [130.216.34.33]) by iris.cs.auckland.ac.nz (Postfix) with ESMTP id 2435F37742; Wed, 13 Dec 2006 16:31:53 +1300 (NZDT)
Received: from pgut001 by medusa01.cs.auckland.ac.nz with local (Exim 3.36 #1 (Debian)) id 1GuKqb-0001SW-00; Wed, 13 Dec 2006 16:31:57 +1300
From: pgut001@cs.auckland.ac.nz
To: adam@cypherspace.org, pgut001@cs.auckland.ac.nz
Subject: Re: Is there any published analysis of OpenPGP's MDC?
Cc: ietf-openpgp@imc.org
In-Reply-To: <20061212130254.GA1767@bitchcake.off.net>
Message-Id: <E1GuKqb-0001SW-00@medusa01.cs.auckland.ac.nz>
Date: Wed, 13 Dec 2006 16:31:57 +1300
X-Virus-Scanned: by amavisd-new at mailhost.auckland.ac.nz
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
X-Spam-Score: 0.5 (/)
X-Scan-Signature: b19722fc8d3865b147c75ae2495625f2

Adam Back <adam@cypherspace.org> writes:

>I think one has to consider the attacker may know the hash, and also given
>the recent issues around SHA1 be able to with some effort compute related
>hashes of modified documents, tho at present with many limtiations.

Yeah, I was assuming known plaintext.

(Actually one way to make this more difficult is to encrypt (say) 128 bits of
zeroes after the message for which the ciphertext gets hashed but not
transmitted.  This eliminates the known-plaintext properties).

>With that background, CFB and CBC encryption remain quite malleable, and a
>number of surprising things have been shown to be possible through it in
>attacks on other protocols.  (Part of the reason for introducing the MDC!)
>Personally I think its just more conversative to use a MAC, like HMAC-SHA1
>with a separate key.

Where would you get the separate key from?  There's no easy way to get a
separate MAC key from a PKC-encrypted conventional key.  Specifically, if
you're using something like a smart card that only supports "unwrap RSA-
encrypted key into 3DES object", you can't even get at the key.

(I realise there are various kludges possible, but I'm not aware of any
cryptographically sound way to do it.  You can't use one key for both
encryption and MAC, deriving the MAC key from the encryption key compromises
the MAC key if the encryption key is compromised, feeding both into a PRF
means you lose backwards-compatibility with existing code that doesn't know
the encryption key has to go through a PRF first, etc etc).

Peter.