Understanding MDC (Modification Detection Code)

David Shaw dshaw@jabberwocky.com
Tue Apr 8 17:10:02 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Apr 08, 2003 at 01:24:15PM +0200, Per Tunedal wrote:

> At 08:48 2002-10-19 -0400, you wrote:
> >On Fri, Oct 18, 2002 at 12:05:34PM +0000, MindFuq wrote:
> >> The faq states that having key preferences of TwoFish and AES implies
> >> the keyholder has the capability of using MDC encryption.  This may be
> >> true, but my tests are showing that MDC is disjoint from those
> >> algorithms.  PGP 6.5.1i can handle MDC, and it's limited to the IDEA,
> >> CAST, and 3DES ciphers.
> >
> >That is correct.  As you saw, MDC is unrelated from any particular
> >cipher choice.  However, given the general evolution of OpenPGP, it is
> >possible to infer from the presence of Twofish and AES that MDC
> >exists.  Ideally, of course, the key would have an explicit MDC flag,
> >but PGP does not do this.
> >
> >> How exactly does MDC work?  I know with MDC out of the picture, if
> >> someone changes the ciphertext, the receiver knows.  Either the
> >> receiver will get garbage, or the receiver won't be able to decrypt
> >> the message at all.  So what's the purpose of MDC?
> >
> >Among other things, read http://www.counterpane.com/pgp-attack.html
> >
> >> Also, I'm curious as to why PGP 6.5.8 (domestic) cannot handle MDC,
> >> but PGP 6.5.1i can.  Was MDC capability removed, and then re-added in
> >> PGP7?
> >
> >6.5.8 != 6.5.1i.  Two different programs.
> >
> >David
> >
> I have re-read the document above today and realised that compressed data
> e.g. zip-files might be a problem. The document tells that the attack
> succeeds in 100% of the times if compression isn't used. And GPG doesn't
> compress data if it already is compressed, right?

Correct.

> And the mdc doesn't help against this vulnerability?

Incorrect.  The MDC stops this vulnerability.

Note that the chosen ciphertext attack mentioned requires a lot more
than an uncompressed file to succeed: the victim needs to cooperate
(even unknowingly) and send back decrypted text.

> BTW I found the switch --force-mdc that might be useful if not AES or
> Twofish are used. Any problems with that? (I am testing it right now!)

No problem, so long as your recipient can handle MDCs.  That means PGP
7 or later, or GnuPG.

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2rc1 (GNU/Linux)
Comment: http://www.jabberwocky.com/david/keys.asc

iD8DBQE+kuaK4mZch0nhy8kRAq7sAKCjyO7yGnWsEAuCh9bdYqdO1hAu0gCfYArk
ama2DJb0LP99d2cclia7h0Y=
=2Dx+
-----END PGP SIGNATURE-----