ietf-openpgp
[Top] [All Lists]

security fixes (KDF, MDC->MAC)?

2002-09-26 12:18:10



Hello OpenPGP,

Is there interest in fixing the security flaws discussed in the recent
"security analysis" thread? -

(1) the Integrity Protected Data and MDC Packets fail to stop Schneier et
al's attack, because the ciphertext blocks can be pasted into a
non-integrity protected packet (ie ciphertext from a tag 18 packet can be
placed in a tag 9 packet, evading the MDC).

(2) Once an attack like above recovered the prefix data, forgeries are
possible:
http://www.imc.org/ietf-openpgp/mail-archive/msg05804.html

One fix (due to John Kane) would be a version 2 of the integrity-protected
packet (tag 18).  This new version would use a key derivation function (KDF)
to derive separate encryption and authentication keys.  The authentication
key would be used by a new MAC packet (say tag 20), which would be just like
the MDC packet but use HMAC-SHA1 instead of SHA1.

Version = Integrity Protected Data Packet Version Number (2)
EncKey  = KDF(SessionKey, Version, 0)
AuthKey = KDF(SessionKey, Version, 1)

Since the encryption key is now the result of a version-dependent KDF,
downgrade attacks like (1) are prevented.

Since the MAC depends on the AuthKey which an attacker doesn't know,
forgeries (2) are prevented.

So what do people think?  Is a fix like this worth it?

Trevor

<Prev in Thread] Current Thread [Next in Thread>