On Wed, 8 Jul 1998, John W. Noerenberg wrote:
At 10:40 PM +0100 7/8/98, Adam Back wrote:
The other thing which I raised was MACs (or MDCs) to prevent against
Gary Howlands attack first discussed at HIP97. PGP made statements
about fixing it back then.
Now I am not particularly arguing that the necessary changes go into
this version, because it is rather late in the day and it needs some
careful thought, however it would be most nice if implementations of
OpenPGP 1.0 could cope with OpenPGP 2.0 messages which did contain
MACs without falling over.
Oh, yes, Adam. There hadn't been much discussion. It slipped past me.
Jon, is Adam's description sufficient for you to write something for -06?
How much heartache does adding this cause implementors (and if it does, can
you really afford not to deal with it)?
john noerenberg
jwn2(_at_)qualcomm(_dot_)com
I AM NOT PROPOSING THE FOLLOWING, BUT JUST AS AN EXAMPLE:
Unless they do something nonsensical, it would be easy to extend 1.0 - for
example, a signature algorithm of 0 means the message digest is stored in
the clear (maybe as a MPI), and leave the rest of the format alone. Old
implmentations should fail gracefully with "unknown signature algorithm".
The onepass signature header lets the "MAC" be at the end yet insures that
someone can't just delete the "MAC".
So there should be upwards compatible ways of preventing the attack.
There are intrusive ways (new packets, new formats), but I think those can
be avoided.
--- reply to tzeruch - at - ceddec - dot - com ---