The Call of the Open Sidewalk

From a place slightly to the side of the more popular path

User Tools

Site Tools

pgpfan:mdc

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
pgpfan:mdc [2022/12/27 22:00] – We have a theoretical cryptography discussion now. b.walzerpgpfan:mdc [2024/06/29 21:25] (current) – The technical article now exists. b.walzer
Line 1: Line 1:
 ======The OpenPGP Modification Detection Code is Actually Good====== ======The OpenPGP Modification Detection Code is Actually Good======
 +
 +//A more detailed (and technical) article covering the same ground as this one exists: [[pgpfan:seip]].//
  
 I once worked for a company that had a strange and intriguing dilemma. They had a popular Product. Marketing determined that the popularity was due to the fact that the Product lasted significantly longer than competing products. No one in the company had the faintest idea why that was the case. The design did not differ in any obvious way from the design used by the competition. While I was there, an engineering project was initiated with the hope of understanding why the Product was better. I left the company before any definite result. For all I know the mystery still remains. I once worked for a company that had a strange and intriguing dilemma. They had a popular Product. Marketing determined that the popularity was due to the fact that the Product lasted significantly longer than competing products. No one in the company had the faintest idea why that was the case. The design did not differ in any obvious way from the design used by the competition. While I was there, an engineering project was initiated with the hope of understanding why the Product was better. I left the company before any definite result. For all I know the mystery still remains.
  
-The situation with the OpenPGP modification detection code (MDC) very much reminds me of the story of the Product. Legend has it that the MDC was created as a kind of an afterthought((Since I first wrote this, I have come to believe that this is //just// a legend. The principles that make the MDC work were known at the time of its design. See the [[pgpfan:intptxt]] article for the details.)). It works very well but it is not obvious why it does. I have never seen an inclusive explanation. Here I will attempt to produce such an explanation.+The situation with the OpenPGP modification detection code (MDC) very much reminds me of the story of the Product. Legend has it that the MDC was created as a kind of an afterthought((Since I first wrote this, I have come to believe that this is //just// a legend. The principles that make the MDC work were known at the time of its design. See the [[pgpfan:intptxt]] article for a related discussion.)). It works very well but it is not obvious why it does. I have never seen an inclusive explanation. Here I will attempt to produce such an explanation
 + 
 +Note that there is a another legend floating around that states that the MDC only has the equivalent of "16 bits of security". This is simply wrong and was probably the result of failing to read to the bottom of an email thread(([[https://mailarchive.ietf.org/arch/msg/openpgp/UYEBC7hnZNbMoNWrfz9zJQb_FUk/|The misread ITEF OpenPGP discussion thread about the security properties of the MDC]])).
  
 When OpenPGP is used for something like email, the messages are authenticated directly with a signature. So the MDC is not relevant in the most common use case. So the MDC is not that important. It would still simplify things and eliminate much pointless discussion if the MDC could in fact be shown as strong. It would eliminate having to go through the more obscure uses of OpenPGP to determine how applicable the MDC was to each. When OpenPGP is used for something like email, the messages are authenticated directly with a signature. So the MDC is not relevant in the most common use case. So the MDC is not that important. It would still simplify things and eliminate much pointless discussion if the MDC could in fact be shown as strong. It would eliminate having to go through the more obscure uses of OpenPGP to determine how applicable the MDC was to each.
Line 59: Line 63:
  
 The MDC is secure and is well suited to the sort of offline encryption that the OpenPGP standard embodies. [[pgpfan:no_new_ae|Proposals to add one or more encrypted authenticated modes and depreciate the MDC don't make sense to me]]. We would be better off if we simply did nothing. The MDC is secure and is well suited to the sort of offline encryption that the OpenPGP standard embodies. [[pgpfan:no_new_ae|Proposals to add one or more encrypted authenticated modes and depreciate the MDC don't make sense to me]]. We would be better off if we simply did nothing.
- 
-=====A Less Intuitive, More Technical Explanation===== 
- 
-OCFB-MDC is a case of hash then encrypt. The cipher block mode is the modified version of cipher feedback used by OpenPGP (OCFB). The modification is 
-the addition of a prefix block consisting of random data. The traditional CFB initialization vector (IV) is replaced by the encryption of a block of zeros. 
-This serves to prevent an attacker from being able to get access to either the IV or the plaintext value of the random data prefix block. 
- 
-The modification detection code (MDC) is a SHA1 hash of the random data prefix block and the plaintext message. The inclusion of the random data makes the 
-MDC unpredictable and prevents known plaintext based modification. 
- 
-OCFB-MDC is immune to the classic attacks against hash then encrypt that involve getting the victim to encrypt an attack message that is later truncated to 
-produce a second valid message. 
  
 =====References===== =====References=====
Line 76: Line 68:
   * [[https://www.rfc-editor.org/rfc/rfc4880#section-5.13|RFC-4880 sec 5.13 (Symmetrically Encrypted Integrity Protected Data packet)]]   * [[https://www.rfc-editor.org/rfc/rfc4880#section-5.13|RFC-4880 sec 5.13 (Symmetrically Encrypted Integrity Protected Data packet)]]
   * [[https://www.rfc-editor.org/rfc/rfc4880#section-5.14|RFC-4880 sec 5.14 (Modification Detection Code packet)]]   * [[https://www.rfc-editor.org/rfc/rfc4880#section-5.14|RFC-4880 sec 5.14 (Modification Detection Code packet)]]
-  * [[https://mailarchive.ietf.org/arch/msg/openpgp/UYEBC7hnZNbMoNWrfz9zJQb_FUk/|IETF OpenPGP email list thread about the security properties of the MDC]] 
  
 [[pgpfan:index|PGP FAN index]]\\ [[pgpfan:index|PGP FAN index]]\\
 [[em:index|Encrypted Messaging index]] [[em:index|Encrypted Messaging index]]
  
pgpfan/mdc.1672178405.txt.gz · Last modified: 2022/12/27 22:00 by b.walzer