Tom writes:
Unless they do something nonsensical, it would be easy to extend 1.0 - for
example, a signature algorithm of 0 means the message digest is stored in
the clear (maybe as a MPI), and leave the rest of the format alone. Old
implmentations should fail gracefully with "unknown signature algorithm".
The onepass signature header lets the "MAC" be at the end yet insures that
someone can't just delete the "MAC".
Sounds ok.
Are you suggesting this for OpenPGP 1.0 or OpenPGP 2.0?
Note that it could be argued that the MAC or MDC (MDC = Modification
Detection Code) would be stronger if it were dependent on something
secret as well as the plaintext (*). The plaintext itself may not be
secret, eg for a file transfer of suspected file.
Also CFB block encryption of a digest (particularly appended to the
plaintext, which it will be with one pass sigs) may not necessarily be
the most robust MDC one could construct. For example
HMAC( session-key, message ), or HMAC( HASH( session-key ), message )
might be stronger.
What you suggest is probably simple enough that it could be added to
OpenPGP 1.0 even. HMAC stuff I suspect would be better left for
OpenPGP 2.0. But we need some *input* here PGP Inc people... are you
working on a solution to this for PGP6.x, do you have an thoughts,
etc.
Adam
(*) If I knew what the plaintext was, I would by extension know what
the digest was, using your suggestion of using a plain digest as the
MDC construct. Then I can use Gary Howlands attack to modify the last
block of PGPs CFB mode bulk cipher, and so modify the (part of) the
MDC. No immediate attack, but other constructs are likely stronger.