After implementing the MDC by using the signature packets and
verifiyng that Tom's and my implementation are interoperable, I
started over and tried to implement my suggestion to use
use a special MDC packet instead of a signature packet.
(1) new encrypted data packet
(2) mdc packet with the encrypted hash over (1)
The problem here is that (2) is encrypted with the same key as (1)
and actually is part of (1). We must encrypt only the hash inside
of (2), so that the parse can distinguish both packets. It is quiet
obvious, that passing the decryption context from (1) to (2) is not
very easy. What we would need to have a good solution, is a conatiner
packet which replaces the old encrypted data packet
Encrypted_Data -+- Data_Containter_Packet -+- Onepass
! !- Plaintext
! !- Signature
I think this is the most clear solution but far too complicate for
the our goal.
The bottom line is, that Phil's original suggestion to put the hash
at the end of the encrypted message is the easiest way to address it.
I know that it is annoying to hold back the last 20 bytes, but compared
to the hacked signature packets, I thing it is okay to to this.
We should invent a new encrypted data packet which is used for
encrypted messages with MDC. Suggestion:
Packet number ???
1 byte version (should be 1)
1 byte MDC method (should be 2 to match SHA, or 0 to disable MDC)
1 byte number of extra bytes (m) at the end of the encrypted text
From now on CFB encrypted with an IV of all zeroes without
any strange syncing.
n byte random data used as IV (n=blocksize of the cipher)
2 byte the last two bytes of the random data.
k byte message
m byte hash used for MD
Uri proposed another scheme for better detection of wrong keys - we
should consider to use this.
"If a cipher with a blocksize > 64 bits is used, this new packet
format SHOULD be used".
To clarify thinks for the old encypted data packet (9), we should
say that the special CFB mode is used with all blocksizes.
Werner Koch at guug.de www.gnupg.org keyid 621CC013