[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Agree with PRZs MDC suggestion
> > 1 byte MDC method (should be 2 to match SHA, or 0 to disable MDC)
> This one worries me. It allows an attacker to turn a 2 into a 0.
I would not have "disable MDC" at all.
> is there an implication that it can be something other than 2 or 0?
Absolutely - like 3 for HAVAL, 5 for <whatever>...
> If so, this again offers an attacker more opportunities to
> mess with the receiver. The attacker could change the hash algorithm to
> something like 6. Now the receiver doesn't know if this is a legitimate
> message from a later version of PGP that supports hash algorithm 6, or
> whether it is a messed up message by an attacker. If we choose a fixed
> hash algorithm this ambiguity cannot arise.
True. So it is up to the group to decide if the extra flexibility of
permitting several hash-functions is worth this potential attack...
> I would prefer to leave this field out. If you use the new packet format
> at all, you get the MDC, using a fixed hash of SHA-1.
Quite acceptable, if you ask me.
> > n byte random data used as IV (n=blocksize of the cipher)
> OK. I continue to believe that a *conventional* IV is most desirable in
> terms of explaining what we are doing to others in the field. The "pseudo
> IV" we have now is hard to explain.
1. A conventional IV is less desirable from security point of view.
2. If you have trouble explaining this approach to others in the
field - I suggest that those others are in the wrong field.