The Call of the Open Sidewalk

From a place slightly to the side of the more popular path

User Tools

Site Tools

pgpfan:mdc

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
pgpfan:mdc [2022/07/18 22:58] – [The OpenPGP Modification Detection Code is Actually Good] b.walzerpgpfan:mdc [2022/12/27 22:00] – We have a theoretical cryptography discussion now. b.walzer
Line 3: Line 3:
 I once worked for a company that had a strange and intriguing dilemma. They had a popular Product. Marketing determined that the popularity was due to the fact that the Product lasted significantly longer than competing products. No one in the company had the faintest idea why that was the case. The design did not differ in any obvious way from the design used by the competition. While I was there, an engineering project was initiated with the hope of understanding why the Product was better. I left the company before any definite result. For all I know the mystery still remains. I once worked for a company that had a strange and intriguing dilemma. They had a popular Product. Marketing determined that the popularity was due to the fact that the Product lasted significantly longer than competing products. No one in the company had the faintest idea why that was the case. The design did not differ in any obvious way from the design used by the competition. While I was there, an engineering project was initiated with the hope of understanding why the Product was better. I left the company before any definite result. For all I know the mystery still remains.
  
-The situation with the OpenPGP modification detection code (MDC) very much reminds me of the story of the Product. Legend has it that the MDC was created as a kind of an afterthought. It works very well but it is not obvious why it does. I have never seen an inclusive explanation. Here I will attempt to produce such an explanation.+The situation with the OpenPGP modification detection code (MDC) very much reminds me of the story of the Product. Legend has it that the MDC was created as a kind of an afterthought((Since I first wrote this, I have come to believe that this is //just// a legend. The principles that make the MDC work were known at the time of its design. See the [[pgpfan:intptxt]] article for the details.)). It works very well but it is not obvious why it does. I have never seen an inclusive explanation. Here I will attempt to produce such an explanation.
  
 When OpenPGP is used for something like email, the messages are authenticated directly with a signature. So the MDC is not relevant in the most common use case. So the MDC is not that important. It would still simplify things and eliminate much pointless discussion if the MDC could in fact be shown as strong. It would eliminate having to go through the more obscure uses of OpenPGP to determine how applicable the MDC was to each. When OpenPGP is used for something like email, the messages are authenticated directly with a signature. So the MDC is not relevant in the most common use case. So the MDC is not that important. It would still simplify things and eliminate much pointless discussion if the MDC could in fact be shown as strong. It would eliminate having to go through the more obscure uses of OpenPGP to determine how applicable the MDC was to each.
Line 13: Line 13:
 {{mdc1.svg}} {{mdc1.svg}}
  
-We create this by hashing the message. Then we append the hash to the end of the message. After that we encrypt everything; message and hash. To check for modification we hash the message and compare that hash to the hash appended to the message.+We create this by [[wp>Cryptographic_hash_function|hashing the message]]. Then we append the hash to the end of the message. After that we encrypt everything; message and hash. To check for modification we hash the message and compare that hash to the hash appended to the message.
  
 Let's consider the easiest situation for the attacker and assume they know the entire message. Then the attacker can hash that known message and will then know what the hash was before encryption. As a result they can modify the hash to any value they want by flipping bits as required. So the attacker can change the message to anything they want without restriction and can change the hash so that their changes would not be detected. If their target message is shorter than the original they can just generate the hash early and drop the extra part. So this is not entirely secure. Let's consider the easiest situation for the attacker and assume they know the entire message. Then the attacker can hash that known message and will then know what the hash was before encryption. As a result they can modify the hash to any value they want by flipping bits as required. So the attacker can change the message to anything they want without restriction and can change the hash so that their changes would not be detected. If their target message is shorter than the original they can just generate the hash early and drop the extra part. So this is not entirely secure.
Line 27: Line 27:
 {{mdc3.svg}} {{mdc3.svg}}
  
-We have added some random data to the start of the message. The random data prefix is included in the hash. That means that the attacker can never know the entire message and as a result will not know what the hash is to start with. As a result they will not be able to change the hash in a rational way by flipping bits.+We have added some random data to the start of the message. The random data prefix is included in the hash. That means that the attacker can never know the entire message and as a result will not know what the hash is to start with. As a result they will not be able to change the hash in a rational way by flipping bits. So the hash is protected by first randomizing it and then encrypting it.
  
 There are some mostly theoretical attacks that involve getting the victim to encrypt messages created by the attacker so that the attacker then can modify them by chopping off the start and/or the end of the message without detection. The version of cipher feedback used by OpenPGP((See the [[pgpfan:ocfb|OpenPGP's Improved Cipher Feedback Mode]] article for some more detail.)) (OCFB) prevents that sort of attack by preventing attacker knowledge of the random prefix data and requiring the key to create a new random prefix. This is the OCFB-MDC (OpenPGP Cipher FeedBack - Modification Detection Code) mode used by OpenPGP (irrelevant detail omitted): There are some mostly theoretical attacks that involve getting the victim to encrypt messages created by the attacker so that the attacker then can modify them by chopping off the start and/or the end of the message without detection. The version of cipher feedback used by OpenPGP((See the [[pgpfan:ocfb|OpenPGP's Improved Cipher Feedback Mode]] article for some more detail.)) (OCFB) prevents that sort of attack by preventing attacker knowledge of the random prefix data and requiring the key to create a new random prefix. This is the OCFB-MDC (OpenPGP Cipher FeedBack - Modification Detection Code) mode used by OpenPGP (irrelevant detail omitted):
  
 {{mdc4.svg}} {{mdc4.svg}}
 +
 +Now both the hash and the random data are protected by first randomizing them and then encrypting them.
  
 If you want to attack OCFB-MDC and modify a message without triggering the MDC you will have to deal with the following challenges: If you want to attack OCFB-MDC and modify a message without triggering the MDC you will have to deal with the following challenges:
pgpfan/mdc.txt · Last modified: 2023/12/11 13:30 by b.walzer