ietf-openpgp
[Top] [All Lists]

Re: Is there any published analysis of OpenPGP's MDC?

2006-12-12 20:52:38

Adam Back <adam(_at_)cypherspace(_dot_)org> writes:

I think one has to consider the attacker may know the hash, and also given
the recent issues around SHA1 be able to with some effort compute related
hashes of modified documents, tho at present with many limtiations.

Yeah, I was assuming known plaintext.

(Actually one way to make this more difficult is to encrypt (say) 128 bits of
zeroes after the message for which the ciphertext gets hashed but not
transmitted.  This eliminates the known-plaintext properties).

With that background, CFB and CBC encryption remain quite malleable, and a
number of surprising things have been shown to be possible through it in
attacks on other protocols.  (Part of the reason for introducing the MDC!)
Personally I think its just more conversative to use a MAC, like HMAC-SHA1
with a separate key.

Where would you get the separate key from?  There's no easy way to get a
separate MAC key from a PKC-encrypted conventional key.  Specifically, if
you're using something like a smart card that only supports "unwrap RSA-
encrypted key into 3DES object", you can't even get at the key.

(I realise there are various kludges possible, but I'm not aware of any
cryptographically sound way to do it.  You can't use one key for both
encryption and MAC, deriving the MAC key from the encryption key compromises
the MAC key if the encryption key is compromised, feeding both into a PRF
means you lose backwards-compatibility with existing code that doesn't know
the encryption key has to go through a PRF first, etc etc).

Peter.

<Prev in Thread] Current Thread [Next in Thread>