Q: Use MD5 as a CFB "block cipher" ??

Q: Use MD5 as a CFB "block cipher" ??

Post by Ed Pu » Wed, 12 Feb 1997 04:00:00



NOTE: Please copy your followups to me via E-mail; although I think
all of the listed groups may be relavent, I do not read them all
regularly.

Thanks,

Thanks.

-----BEGIN PGP SIGNED MESSAGE-----

Hi folks.

Some recent E-mail correspondence led me to review Schneier's _Applied
Cryptography_ (2nd Ed.), specifically the sections in Chapter 9 about
block cipher modes.  Since PGP uses CFB, I was particularly interested
in that mode.

According to Schneier, CFB mode is implemented as:

Encryption:  C(i) = P(i) xor E_k(C(i-1))
Decryption:  P(i) = C(i) xor E_k(C(i-1))

where E_k(A) is the chosen block cipher's encryption algorithm on data
block, A, with key, k.  (In the case of PGP, E_k(A) is IDEA encryption
with k being the random session key.)  For encryption of C(1) and re-
covery of P(1), the value of "C(0)" for the feedback term is based on
some function of a random "Initialisation Vector" (or "IV") block.

I quickly realised that, in implementing CFB, a crypto system does not
actually need to implement the block cipher's specific DEcryption key
scheduling and/or algorithm, but only the ENcryption key scheduling
and algorithm.

(Be that as it may, from reading PGP's PGFORMAT.DOC, it looks like PGP
*does* use IDEA block decryption, but only for handling the IV.  Once
the IV is recovered at the decryption end, then the "normal" CFB de-
cryption would complete, using only IDEA block ENcryption.  However,
with slightly different IV handling, PGP would not require the use of
IDEA block decryption at all!)

Then, I realised that the block cipher used in CFB (or OFB) need not
even be invertible - a good cryptographic strength message digest
might do the job just as well.  A brief trip to _AC_'s index then led
me to section 14.11 on hash-based ciphers and, sure enough, the intro-
duction to that section specifically mentioned using message digest
algorithms in CFB mode for use as a block cipher.  The section then
went on to explain other schemes, such as Luby-Rackoff, and Message
Digest Cipher (specifically mentioning MD5 as a possible candidate to
use with with L-R and MDC).  However, Schneier ends the section by
stating that he would not trust such MD based schemes because message
digest algorithms were not really meant to be used as an encryption
algorithm, and worried that some may be prone to cryptanalysis.

So, now my questions:

1.  Does anyone know whether use of MD5 as the "block cipher" in CFB,
    Luby-Rackoff, or MDC, constitutes a strong cipher?  Is there any
    known cryptanalytic attack?

2.  Since CFB mode and the MD5 message digest are already implemented
    in PGP, would it be easy to implement this scheme as a PGP command
    option in a future release or as a variant of a current release?

3.  Would it make sense to (optionally, of course) use MD5 as the
    block cipher in CFB mode, instead of IDEA?  Specifically, would
    doing so free up the freeware versions of PGP for "commercial
    use".  (Meaning for business and/or commercial related messaging
    traffic, not for re-selling MD5 based software.  Currently, one
    must purchase an IDEA licence, or licensed software incorporating
    IDEA, to legally allow commercial and/or business related messag-
    ing traffic encrypted with IDEA.)

4.  Are there any other questions about this I have forgotten? ;-)

Thanks and reagards,

Edward L. Pugh

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: cp850

iQCVAwUBMv/DNJC5DvuMGchlAQEgFgQAooiFIJUMrqqNOYRAf/k/+Rdi6PG1VBMF
IGveCZSjKtzcex4zDoNdn/3e1dX6KCpvnZzegnGAO6MDsqJVMmEVmFvQ0MpEVaSR
aMZ1P+ScWb1xWOuulggZDViKwAnEeO5EaeTPyl2pSlvA0lcGoEvn0EyKodod1u4b
2K1Dr+hc5j8=
=MIEg
-----END PGP SIGNATURE-----
--

PGP Key: 1024/0x8C19C865  Fingerprint=B044EBD54760834A AA01F2ABCC65BF43

Ask me how to make your E-mail private and secure (Use PGP).

 
 
 

Q: Use MD5 as a CFB "block cipher" ??

Post by Steve Gilha » Wed, 12 Feb 1997 04:00:00



Quote:> 2.  Since CFB mode and the MD5 message digest are already implemented
>     in PGP, would it be easy to implement this scheme as a PGP command
>     option in a future release or as a variant of a current release?

In PGP2.n versions, adding new conventional cyphers is messy, albeit
feasible - for proof of concept, it once took me about 3 hours to hack
in 128-bit Blowfish, though the result at that point was by no means
bug-free (it didn't work on little-endian machines).

The main problem, as for all such extensions, is interoperability -
agreement would be needed on the value for the MD5CFB_ALGORITHM_BYTE,
and the chosen key-length (such algorithms are by their very nature
open-ended).

Quote:> 3.  Would it make sense to (optionally, of course) use MD5 as the
>     block cipher in CFB mode, instead of IDEA?  Specifically, would
>     doing so free up the freeware versions of PGP for "commercial
>     use".  (Meaning for business and/or commercial related messaging
>     traffic, not for re-selling MD5 based software.  Currently, one
>     must purchase an IDEA licence, or licensed software incorporating
>     IDEA, to legally allow commercial and/or business related messag-
>     ing traffic encrypted with IDEA.)

In plain fact, the fashionable alternative is Blowfish - PGP 3.0 is
intended to use it as does the general purpose kernel Mac freeware

c.s.pgp.announce a couple of weeks back.  It is also likely to be
faster (based on the figures in Schneier) than the hash-CFB.

-- Personal mail to steve*windsong.demon.co.uk (for which PGP is preferred) --
Steve Gilham       |GDS Ltd.,Wellington Ho. |My opinions, not those of GDS
Software Specialist|East Road, Cambridge    |Corporation or its affiliates.

    uk.gdscorp.com |Tel:(44)1223-300111x2904|http://www.windsong.demon.co.uk/