[Top] [All Lists]

Re: Anybody know details about Schneier's "flaw"?

2002-08-15 19:13:42

I agree.  Increasing use of MDC is a better more direct
solution. (It's also a more robust solution -- how long until someone
manages to propogate the attack through compression -- it's not as if
compression were designed to prevent it.)

Also the attack for those who haven't read the paper is really
low-tech.  They're just observing that if you can ask someone to
decrypt a message you can use that to decrypt related messages.  So
you intentionally garble a message, and hope the user sends you the
garbled plaintext back to you to ask what went wrong.  The rest falls
out of the fact that if you garble a few bits of a ciphertext most of
the plaintext will still be intact.

So it's related to the earlier observation that unless a message is
signed you can undetectably (to PGP) garble it's contents.  This also
was hard to do if the message was compressed.  This was the motivation
for the MDC.


On Thu, Aug 15, 2002 at 05:49:00PM -0700, Rodney Thayer wrote:

my point was, requiring implementors to do compression sucks,
in my opinion.  this attack is insufficient justification.

the attack is a social engineering attack.  forcing implementors
to add onerous code to defend against it is not a good idea.

At 12:51 PM 8/14/2002 -0400, Derek Atkins wrote:

Rodney Thayer <rodney(_at_)tillerman(_dot_)to> writes:

I think it's got too many odd things in it to require compression.

Indeed.. As I said (perhaps incoherently), the attack only works if
you DO NOT compress.  If you compress the message then there is no way
to XOR against the message.