ietf-smime
[Top] [All Lists]

RE: Strawman for adding a MDC to encrypted data

2006-12-15 14:47:53

I don't know exactly what OpenPGP does, so maybe it's fine.

It encrypts the SHA-1 hash in CFB mode.  Unfortunately the only analysis I'm >
aware of (I've just asked on the OpenPGP list) is by Hungarian cryptographer > 
Daniel
Nagy:

  I have just discussed this issue with my students at our cryptography
  seminar. The general consensus is that MDCs do not need collision
  resistance. Thus, SHA1 is secure with a huge security margin. The recent
  weakening of SHA1 means that finding a pre-image takes approx 2^138
  attempts, which is still comfortably beyond reach for today's and tomorrow's
  technology. Introducing longer hashes would make it slower, while not
  improving security. If you insist, I can provide the complete reasoning why
  collision-resistance is not required for MDC.

Peter,

   I don't know what the above rationale is.  However, there is 
a real-world consideration that is often overlooked in purely 
mathematical analyses of hash function shortcomings.  In order 
for an attacker to successfully exploit a hash collision it is 
necessary not only to find a collision, but to find one that 
yields a meaningful message.  Especially in applications such 
as S/MIME where the payload is often a formatted text message, 
just finding ANY arbitrary collision wouldn't work.  It would 
be likely to corrupt the message format, or otherwise cause 
the receiving client to display gibberish.  I suspect that this 
is true for a lot of applications.  So above and beyond the 
probability of finding a collision, you have to factor in the 
probability of finding a meaningful message (and presumably 
harmful) message that collides.  I suspect that number is MUCH 
smaller.

   I wouldn't even BEGIN to know how to quantify all the factors 
in this for a probability calculation.  Perhaps that is why it 
is so seldom mentioned.  ;-)

Best regards,
Chris B.