Hi,
The attack relies on finding the correct values for the quick
integrity check using an exhaustive search. This can be defeated by
making an exhaustive search unfeasible. Concretely, instead of just
copying the last two bytes of the random IV, we replicate the whole
IV. This should be easy to do for SEIPD packets, since we have a
version field. Alternatively, we could store the hash of the session
key, as Mister and Zuccherato suggest in Section 5.2 of their paper.
If you reuse the entire IV the check itself will be very easy to bypass, just
prepend the ciphertext with two blocks of zeroes.
Then in order for the rest of the ciphertext to make sense, you need to find a
block that, when decrypted, resembles a dummy packet of appropriate size to
line up with the rest of the packets. You can do that by adding another block
between the zeroes and the original cipher text and bruteforce the first few
bytes of it.
If you want to go in that direction, you can use the second half of the IV, or
the IV in reverse. That should fix the issue.
Regards,
Jonas
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp