Re: Agree with PRZs MDC suggestion

[Marcel Waldvogel <mwa@tik.ee.ethz.ch>]

On Tue, 18 May 1999 hal@rain.org wrote:
>5.X. Symmetrically Encrypted Integrity Protected Data Packet (Tag 15)
[...]
>   The data is encrypted in CFB mode, with a CFB shift size equal to
>   the cipher's block size.  The Initial Vector (IV) is specified as
>   all zeros.  Instead of using an IV, OpenPGP prefixes an octet string
>   to the data before it is encrypted.  The length of the octet string
>   equals the block size of the cipher in octets, plus two.  The first
>   octets in the group, of length equal to the block size of the cipher,
>   are random; the last two octets are each copies of their 2nd preceding
>   octet.  For example, with a cipher whose block size is 128 bits or 16
>   octets, the prefix data will contain 16 random octets, then two more
>   octets, which are copies of the 15th and 16th octets, respectivelly.
>   Unlike the Symmetrically Encrypted Data Packet, no special CFB
>   resynchronization is done after encrypting this prefix data.

Hal,

thanks for putting up this proposal. I think it provides a step into the
right direction.

Why don't we repeat the version number (and maybe even the packet tag)
after the two check bytes? Or would this give too much plaintext away?

Although I do understand your concerns against selecting an MDC or even
allowing to turn it off, I would like to see some selection mechanism
included, either for specialized devices or in case some problem shows up
with SHA-1 (e.g. political or cryptanalytical). Wouldn't tampering become
close to impossible if we included the algorithm byte both in the plain
header and repeated it after the CFB?

Even if the algorithm ID was included only in the plain section, the
receiving implementation could flag unknown or weak algorithms as "has
possibly been tampered with".

-Marcel