Re: Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG

From: Werner Koch (
Date: 08/13/02

From: Werner Koch <>
Date: Tue, 13 Aug 2002 12:59:41 +0200

On Mon, 12 Aug 2002 11:45:26 -0600, aleph1 said:

> must be taken into account in order to maintain confidentiality. We also
> recommend changes in the OpenPGP standard to reduce the effectiveness of our
> attacks in these settings.

Countermeasures are defined in the OpenPGP drafts since October 2000.

This MDC (Manipulation Detection Code) feature is supported since PGP
7.0 (decryption only) and GnuPG 1.0.2. The latest OpenPGP draft (06)
even changed the wording to strongly suggest the use of the MDC
feature. We have already changed the GnuPG development version to
emit an error and not only a warning when a corrupt MDC hash is
detected, so that frontends can't ignore the warning.

GnuPG uses MDC when either Twofish or AES is used as cipher algorithm
(selected by the preference system) or when the special MDC flag is
listed in the preferences. The option --force-mdc does what you

The general problem is that the MDC feature is not compatible with any
PGP versions before 7.0 or GnuPG 1.0.2. You won't simply not be able
to decrypt a message if you use such a version. If you are running a
modern version you should make sure that AES has been enabled in the
key preferences.