Hello OpenPGP,
Is there interest in fixing the security flaws discussed in the recent
"security analysis" thread? -
(1) the Integrity Protected Data and MDC Packets fail to stop Schneier et
al's attack, because the ciphertext blocks can be pasted into a
non-integrity protected packet (ie ciphertext from a tag 18 packet can be
placed in a tag 9 packet, evading the MDC).
(2) Once an attack like above recovered the prefix data, forgeries are
possible:
http://www.imc.org/ietf-openpgp/mail-archive/msg05804.html
One fix (due to John Kane) would be a version 2 of the integrity-protected
packet (tag 18). This new version would use a key derivation function (KDF)
to derive separate encryption and authentication keys. The authentication
key would be used by a new MAC packet (say tag 20), which would be just like
the MDC packet but use HMAC-SHA1 instead of SHA1.
Version = Integrity Protected Data Packet Version Number (2)
EncKey = KDF(SessionKey, Version, 0)
AuthKey = KDF(SessionKey, Version, 1)
Since the encryption key is now the result of a version-dependent KDF,
downgrade attacks like (1) are prevented.
Since the MAC depends on the AuthKey which an attacker doesn't know,
forgeries (2) are prevented.
So what do people think? Is a fix like this worth it?
Trevor