security fixes (KDF, MDC->MAC)?
Trevor Perrin <Tperrin@sigaba.com> Thu, 26 September 2002 19:27 UTC
Received: from above.proper.com (mail.proper.com [208.184.76.45]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA19155 for <openpgp-archive@lists.ietf.org>; Thu, 26 Sep 2002 15:27:47 -0400 (EDT)
Received: (from majordomo@localhost) by above.proper.com (8.11.6/8.11.3) id g8QJIAO01218 for ietf-openpgp-bks; Thu, 26 Sep 2002 12:18:10 -0700 (PDT)
Received: from bulwinkle.sigaba.com (bulwinkle.sigaba.com [67.113.238.132]) by above.proper.com (8.11.6/8.11.3) with SMTP id g8QJI8v01212 for <ietf-openpgp@imc.org>; Thu, 26 Sep 2002 12:18:08 -0700 (PDT)
Received: from bsd.sigaba.com (67.113.238.131) by bulwinkle.sigaba.com (Sigaba Gateway v3.5) with SMTP; Thu, 26 Sep 2002 12:11:13 -0700
Received: from exchange1.sigaba.com (exchange1.sigaba.com [10.10.10.10]) by bsd.sigaba.com (8.12.2/8.12.2) with ESMTP id g8QJI6E3032303 for <ietf-openpgp@imc.org>; Thu, 26 Sep 2002 12:18:06 -0700
Received: by exchange.sigaba.com with Internet Mail Service (5.5.2653.19) id <TM7RD9BB>; Thu, 26 Sep 2002 12:18:05 -0700
Message-id: <2129B7848043D411881A00B0D0627EFEBFB1A7@exchange.sigaba.com>
From: Trevor Perrin <Tperrin@sigaba.com>
To: "'ietf-openpgp@imc.org'" <ietf-openpgp@imc.org>
Subject: security fixes (KDF, MDC->MAC)?
Date: Thu, 26 Sep 2002 12:18:01 -0700
MIME-Version: 1.0
X-mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
Content-Transfer-Encoding: 7bit
Hello OpenPGP, Is there interest in fixing the security flaws discussed in the recent "security analysis" thread? - (1) the Integrity Protected Data and MDC Packets fail to stop Schneier et al's attack, because the ciphertext blocks can be pasted into a non-integrity protected packet (ie ciphertext from a tag 18 packet can be placed in a tag 9 packet, evading the MDC). (2) Once an attack like above recovered the prefix data, forgeries are possible: http://www.imc.org/ietf-openpgp/mail-archive/msg05804.html One fix (due to John Kane) would be a version 2 of the integrity-protected packet (tag 18). This new version would use a key derivation function (KDF) to derive separate encryption and authentication keys. The authentication key would be used by a new MAC packet (say tag 20), which would be just like the MDC packet but use HMAC-SHA1 instead of SHA1. Version = Integrity Protected Data Packet Version Number (2) EncKey = KDF(SessionKey, Version, 0) AuthKey = KDF(SessionKey, Version, 1) Since the encryption key is now the result of a version-dependent KDF, downgrade attacks like (1) are prevented. Since the MAC depends on the AuthKey which an attacker doesn't know, forgeries (2) are prevented. So what do people think? Is a fix like this worth it? Trevor
- security fixes (KDF, MDC->MAC)? Trevor Perrin
- Re: security fixes (KDF, MDC->MAC)? disastry
- Re: security fixes (KDF, MDC->MAC)? Werner Koch
- RE: security fixes (KDF, MDC->MAC)? Trevor Perrin
- RE: security fixes (KDF, MDC->MAC)? Trevor Perrin