[Top] [All Lists]

RE: [Cfrg] OpenPGP security analysis

2002-09-16 19:48:20

-----Original Message-----
From: David Wagner [mailto:daw(_at_)cs(_dot_)berkeley(_dot_)edu]

Unfortunately, Hash-then-Encrypt has known security weaknesses, in
general.  For instance, there is a chosen-plaintext attack that 
lets you truncate a ciphertext without detection.  See, e.g.,

I don't see any complications that would trip this attack up in OpenPGP's
encryption/integrity packet type.  If you try to place M anywhere else
within M' besides the beginning, however, you'd have to guess at and prepend
duplicate prefix bytes to M, and snip so as to include the block previous to
these, and the attack would only have a 2^-16 probability of success because
the guessed duplicate prefix bytes probably won't match whatever the initial
prefix bytes turn out to be.

It seems like this could be fixed by using HMAC-SHA1 instead of just SHA1,
with a key derived by some function of the encryption key, but I'm not