ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Is 64-bit blocks really insecure?

2015-04-03 18:36:23
from [Ryan Carboni] [Permanent Link] 
"Most zippers available today implement only one of the compression methods
defined in APPNOTE.TXT, called deflate. Deflate uses Huffman coding followed
by a variant of Lempel-Ziv. Once the dictionary reaches a certain size, the
process
starts over. Since the Huffman codes for any of the data depend on a great
deal of
surrounding data, one is forced to guess the plaintext unless one has the
original
data. The difficulty of getting known plaintext was one reason Phil
Zimmerman
decided to use deflate in PGP [PGP98]. Practically speaking, if one has
enough
of the original file to get the thirteen bytes of plaintext required for
the attack
in [BK94], one has enough to break the encryption almost instantly."

"The PKZIP stream cipher was designed by Roger Schaffely and is fully
described
in the file APPNOTE.TXT found in most PKZIP distributions. The internal
state of the cipher consists of three 32-bit words: key0, key1, and key2.
These
values are initialized to 0x12345678, 0x23456789, and 0x34567890,
respectively.
The internal state is updated by mixing in the next plaintext byte. The
first and
third words are updated using the linear feedback shift register known as
CRC-
32; the second word is updated using a truncated linear congruential
generator.
The output byte is the result of a truncated pseudo-squaring operation. (See
Figure 1.)
unsigned char "

On Fri, Apr 3, 2015 at 2:48 AM, Jim Peterson 
<Jim(_dot_)Peterson(_at_)pkware(_dot_)com>
wrote:


 The PKZIP CRC algorithm was designed only as a means for checksum
verification to detect dropped or damaged bits in a compressed file.  The
PKZIP compressed ZIP file format has evolved to include support for strong
encryption algorithms (3des, aes) using public/private key pairs following
either the X.509 or OpenPGP key formats.





*From:* openpgp [mailto:openpgp-bounces(_at_)ietf(_dot_)org] *On Behalf Of 
*Ryan
Carboni
*Sent:* Friday, April 03, 2015 2:35 AM
*To:* openpgp(_at_)ietf(_dot_)org
*Subject:* [openpgp] Is 64-bit blocks really insecure?



Given that the PKZIP cipher is a CRC stream cipher that requires 13 known
bytes... but factoring in the deflate algorithm, this increases to
gigabytes of data.

This security of PKZIP was the reason why compression was included in PGP.


_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Is 64-bit blocks really insecure?, Jim Peterson
Next by Date:  Re: [openpgp] ways forward wrt IETF wg - please try answer by Apr 8th, Ben McGinnes
Previous by Thread:  Re: [openpgp] Is 64-bit blocks really insecure?, Jim Peterson
Next by Thread:  [openpgp] MIME signature impact, Phillip Hallam-Baker
Indexes:  [Date] [Thread] [Top] [All Lists]