Werner Koch says:
However, to come to a solution we should use the
IV|checkbytes|plaintext|SHA1
proposal and assign a new packet type to it (and add a version number
just in case we want to change it again).
If the above is the *plaintext* - I agree. I personally like
implicit IV=0x00...0 and the plaintext prepended with random
128 bits.
How do we handle secret key material encryption with 128 bit
blocksizes? Increase the IV in the packet to the blocksize or keep
it at 8 bytes?
NO! With 128-bit cipher you MUST use 128-bit IV. [I understand it's
coming across rather strong - but then, how much is your security
worth to you?]
--
Regards,
Uri uri(_at_)watson(_dot_)ibm(_dot_)com
-=-=-=-=-=-=-
<Disclaimer>