Re: Agree with PRZs MDC suggestion

[uri <uri@watson.ibm.com>]

hal@rain.org says:
> >    1 byte MDC method (should be 2 to match SHA, or 0 to disable MDC)
> 
> This one worries me.  It allows an attacker to turn a 2 into a 0. 

I would not have "disable MDC" at all.

> Also,
> is there an implication that it can be something other than 2 or 0?

Absolutely - like 3 for HAVAL, 5 for <whatever>...

> If so, this again offers an attacker more opportunities to
> mess with the receiver.  The attacker could change the hash algorithm to
> something like 6.  Now the receiver doesn't know if this is a legitimate
> message from a later version of PGP that supports hash algorithm 6, or
> whether it is a messed up message by an attacker.  If we choose a fixed
> hash algorithm this ambiguity cannot arise.

True. So it is up to the group to decide if the extra flexibility of
permitting several hash-functions is worth this potential attack...

> I would prefer to leave this field out.  If you use the new packet format
> at all, you get the MDC, using a fixed hash of SHA-1.

Quite acceptable, if you ask me.

> >    n byte random data used as IV (n=blocksize of the cipher)	
> 
> OK.  I continue to believe that a *conventional* IV is most desirable in
> terms of explaining what we are doing to others in the field.  The "pseudo
> IV" we have now is hard to explain.

1. A conventional IV is less desirable from security point of view.
2. If you have trouble explaining this approach to others in the
   field - I suggest that those others are in the wrong field.
-- 
Regards,
Uri		uri@watson.ibm.com
-=-=-=-=-=-=-
<Disclaimer>