Understanding MDC (Modification Detection Code)

David Shaw dshaw@jabberwocky.com
Sat Oct 19 14:47:03 2002

On Fri, Oct 18, 2002 at 12:05:34PM +0000, MindFuq wrote:
> The faq states that having key preferences of TwoFish and AES implies
> the keyholder has the capability of using MDC encryption.  This may be
> true, but my tests are showing that MDC is disjoint from those
> algorithms.  PGP 6.5.1i can handle MDC, and it's limited to the IDEA,
> CAST, and 3DES ciphers.

That is correct.  As you saw, MDC is unrelated from any particular
cipher choice.  However, given the general evolution of OpenPGP, it is
possible to infer from the presence of Twofish and AES that MDC
exists.  Ideally, of course, the key would have an explicit MDC flag,
but PGP does not do this.

> How exactly does MDC work?  I know with MDC out of the picture, if
> someone changes the ciphertext, the receiver knows.  Either the
> receiver will get garbage, or the receiver won't be able to decrypt
> the message at all.  So what's the purpose of MDC?

Among other things, read http://www.counterpane.com/pgp-attack.html

> Also, I'm curious as to why PGP 6.5.8 (domestic) cannot handle MDC,
> but PGP 6.5.1i can.  Was MDC capability removed, and then re-added in
> PGP7?

6.5.8 != 6.5.1i.  Two different programs.


   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson