Understanding MDC (Modification Detection Code)

Per Tunedal pt@radvis.nu
Tue Apr 8 13:24:01 2003

Hash: SHA1

At 08:48 2002-10-19 -0400, you wrote:
 >On Fri, Oct 18, 2002 at 12:05:34PM +0000, MindFuq wrote:
 >> The faq states that having key preferences of TwoFish and AES implies
 >> the keyholder has the capability of using MDC encryption.  This may be
 >> true, but my tests are showing that MDC is disjoint from those
 >> algorithms.  PGP 6.5.1i can handle MDC, and it's limited to the IDEA,
 >> CAST, and 3DES ciphers.
 >That is correct.  As you saw, MDC is unrelated from any particular
 >cipher choice.  However, given the general evolution of OpenPGP, it is
 >possible to infer from the presence of Twofish and AES that MDC
 >exists.  Ideally, of course, the key would have an explicit MDC flag,
 >but PGP does not do this.
 >> How exactly does MDC work?  I know with MDC out of the picture, if
 >> someone changes the ciphertext, the receiver knows.  Either the
 >> receiver will get garbage, or the receiver won't be able to decrypt
 >> the message at all.  So what's the purpose of MDC?
 >Among other things, read http://www.counterpane.com/pgp-attack.html
 >> Also, I'm curious as to why PGP 6.5.8 (domestic) cannot handle MDC,
 >> but PGP 6.5.1i can.  Was MDC capability removed, and then re-added in
 >> PGP7?
 >6.5.8 != 6.5.1i.  Two different programs.
I have re-read the document above today and realised that compressed data
e.g. zip-files might be a problem. The document tells that the attack
succeeds in 100% of the times if compression isn't used. And GPG doesn't
compress data if it already is compressed, right? And the mdc doesn't help
against this vulnerability?

BTW I found the switch --force-mdc that might be useful if not AES or
Twofish are used. Any problems with that? (I am testing it right now!)

Per Tunedal

Version: GnuPG v1.2.1 (MingW32) - GPGrelay v0.92