Understanding MDC (Modification Detection Code)
Tue Apr 8 13:24:01 2003
-----BEGIN PGP SIGNED MESSAGE-----
At 08:48 2002-10-19 -0400, you wrote:
>On Fri, Oct 18, 2002 at 12:05:34PM +0000, MindFuq wrote:
>> The faq states that having key preferences of TwoFish and AES implies
>> the keyholder has the capability of using MDC encryption. This may be
>> true, but my tests are showing that MDC is disjoint from those
>> algorithms. PGP 6.5.1i can handle MDC, and it's limited to the IDEA,
>> CAST, and 3DES ciphers.
>That is correct. As you saw, MDC is unrelated from any particular
>cipher choice. However, given the general evolution of OpenPGP, it is
>possible to infer from the presence of Twofish and AES that MDC
>exists. Ideally, of course, the key would have an explicit MDC flag,
>but PGP does not do this.
>> How exactly does MDC work? I know with MDC out of the picture, if
>> someone changes the ciphertext, the receiver knows. Either the
>> receiver will get garbage, or the receiver won't be able to decrypt
>> the message at all. So what's the purpose of MDC?
>Among other things, read http://www.counterpane.com/pgp-attack.html
>> Also, I'm curious as to why PGP 6.5.8 (domestic) cannot handle MDC,
>> but PGP 6.5.1i can. Was MDC capability removed, and then re-added in
>6.5.8 != 6.5.1i. Two different programs.
I have re-read the document above today and realised that compressed data
e.g. zip-files might be a problem. The document tells that the attack
succeeds in 100% of the times if compression isn't used. And GPG doesn't
compress data if it already is compressed, right? And the mdc doesn't help
against this vulnerability?
BTW I found the switch --force-mdc that might be useful if not AES or
Twofish are used. Any problems with that? (I am testing it right now!)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92
-----END PGP SIGNATURE-----