At 11:53 PM 6/25/98 +0100, Adam Back wrote:
- Gary Howlands attack which can undetectably garble unsigned
encrypted messages ... has this was been fixed?
If not perhaps we could either fix it (include optional? unsigned
digest inside message) or have wording added to highlight that
unsigned encrypted messages offer little protection against garbling.
As I remember the consensus on this one, garbling is a problem on all
messaging systems unless you have a signature or a MAC.
Adding in a MAC or digest to an encrypted packet breaks backwards
compatibility. I thought the consensus was that with 1.X we would look at
adding some form of integrity check, perhaps with a new type of encrypted
data packet.
I'm willing to add a note in security considerations. How about something
like:
Please note that encrypting an object but not signing it leaves open the
possibility that it might have been damaged (by accident or attack). If an
implementation wants to ensure the integrity of a message, it must be
signed as well as encrypted.
- Is it defined that an implementation would keep processing packets
until it gets to a terminal packet (terminal packets being
literal packets, or the text of a clear signed message)?
This is important as it allows super-encryption, and allows
encrypted messages to contain clear signed messages (which William
Geiger uses) plus it would be useful for experimental combinations
people may use.
It is my belief that that is defined. It's implicit that an implementation
needs to keep unwrapping an object until it hits bottom, and that since a
literal packet could contain a clearsigned message, a literal should be
scanned for one. If you think a paragraph needs to be added, let us know.
Jon
-----
Jon Callas jon(_at_)pgp(_dot_)com
CTO, Total Network Security 3965 Freedom Circle
Network Associates, Inc. Santa Clara, CA 95054
(408) 346-5860
Fingerprints: D1EC 3C51 FCB1 67F8 4345 4A04 7DF9 C2E6 F129 27A9 (DSS)
665B 797F 37D1 C240 53AC 6D87 3A60 4628 (RSA)