From 771b2b8326df792b59457a25f04ac3c168347d34 Mon Sep 17 00:00:00 2001 From: Paul Schaub Date: Wed, 13 Dec 2023 12:39:05 +0100 Subject: [PATCH] ch10, ch11: Describe MDC and quick check bytes --- book/assets/drawio/mdc.drawio | 75 +++++++++++++++++++++++++++++++++++ book/assets/drawio/mdc.svg | 4 ++ book/source/decryption.md | 13 ++++++ book/source/encryption.md | 21 ++++++++++ 4 files changed, 113 insertions(+) create mode 100644 book/assets/drawio/mdc.drawio create mode 100644 book/assets/drawio/mdc.svg diff --git a/book/assets/drawio/mdc.drawio b/book/assets/drawio/mdc.drawio new file mode 100644 index 0000000..353e8ba --- /dev/null +++ b/book/assets/drawio/mdc.drawio @@ -0,0 +1,75 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/book/assets/drawio/mdc.svg b/book/assets/drawio/mdc.svg new file mode 100644 index 0000000..8abaf33 --- /dev/null +++ b/book/assets/drawio/mdc.svg @@ -0,0 +1,4 @@ + + + +
16 random bytes
16 random bytes
quick check bytes
quick...
Plaintext
Plaintext
0xD3
0x14
0xD3...
SHA1
Checksum
SHA1...
repeated 2 bytes
repeated 2 bytes
calculate / verify checksum
calculate / verify checksum
quick check
quick check
modification detection code
modification detection codeText is not SVG - cannot display \ No newline at end of file diff --git a/book/source/decryption.md b/book/source/decryption.md index cd602b1..f0991ef 100644 --- a/book/source/decryption.md +++ b/book/source/decryption.md @@ -128,6 +128,19 @@ The cipher algorithm is either extracted from the decrypted session key (the alg Once the cipher is initialized, the whole encrypted data from the SEIPD packet is decrypted. +### Verifying the quick-check bytes + +To quickly verify that the correct session-key was used during decryption, bytes with index 14 and 15 are compared to those with index 16 and 17 (zero-indexed). +A mismatch of those pairs of bytes indicates that the wrong session-key was used and decryption is aborted. + +### Verifying the modification detection code (mdc) + +The contents of a SEIPDv1 packet are protected against unnoticed modification via the addition of a modification detection code. +This is done by calculating the SHA1 checksum of the entire decrypted plaintext, but excluding the last 20 bytes, which are the actual checksum computed by the sender. +Compare figure {numref}`fig-encryption-mdc`. + +The result is then compared to those last 20 bytes to detect modifications of the ciphertext. + ```{figure} plain_svg/SEIPDv1-decryption.svg :name: fig-decryption-seipd1 :alt: Depicts how the session key is used directly to decrypt the contents of the SEIPD packet. diff --git a/book/source/encryption.md b/book/source/encryption.md index 7d2f243..0f9ae6a 100644 --- a/book/source/encryption.md +++ b/book/source/encryption.md @@ -117,6 +117,27 @@ When communicating with a mix of recipients, some of whose OpenPGP software only With SEIPDv1, the session key is directly used as message key to encrypt the payload ``` +(quick-check-and-mdc)= +#### Preparing the plaintext with quick check and modification detection code + +Before encrypting the plaintext, the data is modified by adding both a prepended "quick check", as well as an appended modification detection code. + +The quick check comprises of 16 randomly chosen bytes plus 2 bytes which are the last two of the 16 random bytes repeated. +This mechanism is useful to quickly check, whether the correct session key was used when decrypting the message. +These quick-check bytes are prepended to the plaintext. + +The modification detection code on the other hand is added to allow detection of unwanted modification of the ciphertext. +First, the two marker bytes `0xD3` and `0x14` are appended to the plaintext. Then, the SHA1 checksum of the entire plaintext including quick check and marker bytes is calculated and appended to the plaintext. + +```{figure} plain_svg/mdc.svg +:name: fig-encryption-mdc +:alt: Depicts, how the prior to encryption, the plaintext bytes are prepended with 18 quick check bytes and appended with 22 bytes of modification detection code. The quick check comprises of 16 random bytes plus 2 repeated bytes. The modification detection code starts with the marker bytes 0xD314, followed by the SHA1 checksum of the entire plaintext including quick check and marker bytes. + +The plaintext inside of a SEIPDv1 packet contains quick check bytes, the actual plaintext and modification detection code +``` + +Lastly, the whole prepared plaintext is encrypted symmetrically. + (seipd-v2)= ### v2 SEIPD, based on AEAD