Re: Is there any published analysis of OpenPGP's MDC?
Peter Gutmann <pgut001 <at> cs.auckland.ac.nz>
2006-12-13 03:31:57 GMT
Adam Back <adam <at> cypherspace.org> writes:
>I think one has to consider the attacker may know the hash, and also given
>the recent issues around SHA1 be able to with some effort compute related
>hashes of modified documents, tho at present with many limtiations.
Yeah, I was assuming known plaintext.
(Actually one way to make this more difficult is to encrypt (say) 128 bits of
zeroes after the message for which the ciphertext gets hashed but not
transmitted. This eliminates the known-plaintext properties).
>With that background, CFB and CBC encryption remain quite malleable, and a
>number of surprising things have been shown to be possible through it in
>attacks on other protocols. (Part of the reason for introducing the MDC!)
>Personally I think its just more conversative to use a MAC, like HMAC-SHA1
>with a separate key.
Where would you get the separate key from? There's no easy way to get a
separate MAC key from a PKC-encrypted conventional key. Specifically, if
you're using something like a smart card that only supports "unwrap RSA-
encrypted key into 3DES object", you can't even get at the key.
(I realise there are various kludges possible, but I'm not aware of any
cryptographically sound way to do it. You can't use one key for both
encryption and MAC, deriving the MAC key from the encryption key compromises
the MAC key if the encryption key is compromised, feeding both into a PRF
means you lose backwards-compatibility with existing code that doesn't know
the encryption key has to go through a PRF first, etc etc).