On Mon, 29 Jun 1998, Uri Blumenthal wrote:
To add security you need an offset in a generated cryptostream. Which
(the offset) necessarily should go in the clear.
The problem is there is no other way to determine if a key is correct than
to match the final pairs of bytes in the prefix. It adds no security, but
without any means of checksumming the symmetrically encrypted ESKs, you
can't tell which of the passphrases actually match. I suggested adding a
checksum to the SKESK, but that was shot down.
Hmm... In block ciphers that random prefix does add a little bit of
security and does make a non-zero IV unnecessary. In stream ciphers
prefix does nothing and an IV (or a "stream offset") is a-must.
None of these is really good for checksumming.
While the existing solution that uses block cipher(s) copes with the
issue well, stream ciphers throw a monkey wrench into the gears. Yes
it is possible to have both random prefix and random offset, but it
ain't look nice.
I'm for adding a checksum. Would be more reliable too. [Possibly it's
too late for that... Oh well...]
And was rejected when I originally suggested it although I brought up this
specific problem, though not in the context of block ciphers. Right now
you have to stack each passphrase for a try (and may still get wrong 1/64k
of the time). Were there a checksum you could tell if any SKESK was
correct before going further in the header, just as you can tell if the
PKESK is correct.
At the time, it would have only broken PGP 5.0. Now it would break at
least two more implementations.
--- reply to tzeruch - at - ceddec - dot - com ---