pgpfan:mdc
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
pgpfan:mdc [2022/05/28 19:57] – Typo b.walzer | pgpfan:mdc [2022/07/18 22:58] – [The OpenPGP Modification Detection Code is Actually Good] b.walzer | ||
---|---|---|---|
Line 41: | Line 41: | ||
* The random data prefix is very well protected by the OpenPGP version of cipher feedback (OCFB). | * The random data prefix is very well protected by the OpenPGP version of cipher feedback (OCFB). | ||
| | ||
- | This might seem inelegant but it makes complete sense in an the OpenPGP context. This was preexisting in the OpenPGP standard: | + | This might seem inelegant but it makes complete sense in the OpenPGP context. This was preexisting in the OpenPGP standard: |
* The OCFB block mode is the standard mode used in OpenPGP. | * The OCFB block mode is the standard mode used in OpenPGP. | ||
Line 48: | Line 48: | ||
All that was required to make the MDC was the addition of a single hash. The MDC is actually an example of minimalist and appropriate design. | All that was required to make the MDC was the addition of a single hash. The MDC is actually an example of minimalist and appropriate design. | ||
- | I am not a professional cryptographer, | + | I am not a professional cryptographer, |
The combination of OCFB and MDC is effectively authenticated encryption. It detects changes in messages based on the shared secret of the encryption key. There is a definition of authenticated encryption that makes refusal to release suspect data mandatory, but that is not relevant for the sort of offline applications that OpenPGP is used for. There is only one encrypted message/ | The combination of OCFB and MDC is effectively authenticated encryption. It detects changes in messages based on the shared secret of the encryption key. There is a definition of authenticated encryption that makes refusal to release suspect data mandatory, but that is not relevant for the sort of offline applications that OpenPGP is used for. There is only one encrypted message/ | ||
Line 56: | Line 56: | ||
The MDC uses the SHA1 method for the hash. Not everyone knows that the discovered weakness in SHA1 is irrelevant to the MDC. I suppose you could redefine it as the "MDC hash" and specify that it only needs to be irreversible to prevent unnecessary angst. In general, the MDC is likely to be resistant to weaknesses in the hash due to the fact that the stored hash is encrypted and randomized by the random data which makes it very hard to mess with. | The MDC uses the SHA1 method for the hash. Not everyone knows that the discovered weakness in SHA1 is irrelevant to the MDC. I suppose you could redefine it as the "MDC hash" and specify that it only needs to be irreversible to prevent unnecessary angst. In general, the MDC is likely to be resistant to weaknesses in the hash due to the fact that the stored hash is encrypted and randomized by the random data which makes it very hard to mess with. | ||
- | The MDC is secure and is well suited to the sort of offline encryption that the OpenPGP standard embodies. Proposals to add one or more encrypted authenticated modes and depreciate the MDC don't make sense to me. We would be better off if we simply did nothing. | + | The MDC is secure and is well suited to the sort of offline encryption that the OpenPGP standard embodies. |
=====A Less Intuitive, More Technical Explanation===== | =====A Less Intuitive, More Technical Explanation===== | ||
- | OCFB-MDC is a case of hash then encrypt. The cipher block mode used is the modified version of cipher feedback used by OpenPGP (OCFB). The modification is | + | OCFB-MDC is a case of hash then encrypt. The cipher block mode is the modified version of cipher feedback used by OpenPGP (OCFB). The modification is |
the addition of a prefix block consisting of random data. The traditional CFB initialization vector (IV) is replaced by the encryption of a block of zeros. | the addition of a prefix block consisting of random data. The traditional CFB initialization vector (IV) is replaced by the encryption of a block of zeros. | ||
This serves to prevent an attacker from being able to get access to either the IV or the plaintext value of the random data prefix block. | This serves to prevent an attacker from being able to get access to either the IV or the plaintext value of the random data prefix block. |
pgpfan/mdc.txt · Last modified: 2023/12/11 13:30 by b.walzer