ietf-openpgp
[Top] [All Lists]

RE: security fixes (KDF, MDC->MAC)?

2002-09-27 12:23:20


Fixed a typo-

-----Original Message-----
From: disastry(_at_)saiknes(_dot_)lv [mailto:disastry(_at_)saiknes(_dot_)lv]

5.13.
[...]    Unlike the Symmetrically Encrypted Data Packet, no
  special CFB resynchronization is done after encrypting this prefix
  data.

doesn't this prevent converting packet 18 to 9 ?


It doesn't completely prevent the JKS attack.  The attacker can still copy
the first two blocks of ciphertext from a packet 18 to 9, and the check
bytes will decrypt appropriately, but the remainder of the second block will
be scrambled.

So this will probably leave a malformed packet header, but there's a chance
the header might still work, depending on how strict the parsing code is
(for example, what if the packet tag gets randomly set to 11 for Literal
Data, but the length is wrong?).  The attacker can flip bits in the
remainder of the second block and keep submitting guesses to a decryption
oracle, until he stumbles on a packet header that makes the attack work.  

The attacker may also learn information from observing the oracle which lets
him reconstruct the keystream bytes that the ciphertext is being XOR'd with.
For example, if the oracle says "Error: packet tag 62 not supported", the
attacker can reconstruct the keystream bits that correspond to the packet
tag, and thus gain the ability to control its value.


Trevor

<Prev in Thread] Current Thread [Next in Thread>