ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[openpgp] encrypted packets' quick integrity check

2016-03-08 06:56:51
from [Neal H. Walfield] [Permanent Link] 
Hi,

I recently took a look at the Mister and Zuccherato attack on the
quick integrity check in encrypted packets (i.e., that the last two
bytes of the IV are correctly repeated)and I have two suggestions for
RFC4880bis.


The attack relies on finding the correct values for the quick
integrity check using an exhaustive search.  This can be defeated by
making an exhaustive search unfeasible.  Concretely, instead of just
copying the last two bytes of the random IV, we replicate the whole
IV.  This should be easy to do for SEIPD packets, since we have a
version field.  Alternatively, we could store the hash of the session
key, as Mister and Zuccherato suggest in Section 5.2 of their paper.


Also, the following text regarding this issue is in RFC 4880:

     In winter 2005, Serge Mister and Robert Zuccherato from Entrust
     released a paper describing a way that the "quick check" in OpenPGP
     CFB mode can be used with a random oracle to decrypt two octets of
     every cipher block [MZ05].  They recommend as prevention not using
     the quick check at all.

     Many implementers have taken this advice to heart for any data that
     is symmetrically encrypted and for which the session key is
     public-key encrypted.  In this case, the quick check is not needed
     as the public-key encryption of the session key should guarantee
     that it is the right session key.  In other cases, the
     implementation should use the quick check with care.

As far as I can tell, the attack applies equally well whether a PK-ESK
or SK-ESK packet is used to store the session key.  This is because
the attack just exploits the session key; it doesn't matter how it is
stored.  Does anyone know why this attack should not apply to SK-ESK
packets (FWIW, GnuPG uses the check when the session key is stored in
an SK-ESK packet, but not when it is stored in a PK-ESK packet)?  If
not, I think this text should be updated to remove "and for which the
session key is public-key encrypted".

Thanks!

:) Neal


_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] saltpack on OpenPGP message format problems, Rick van Rein
Next by Date:  Re: [openpgp] encrypted packets' quick integrity check, Tom Ritter
Previous by Thread:  Re: [openpgp] saltpack on OpenPGP message format problems, Phillip Hallam-Baker
Next by Thread:  Re: [openpgp] encrypted packets' quick integrity check, Tom Ritter
Indexes:  [Date] [Thread] [Top] [All Lists]