hal(_at_)rain(_dot_)org says:
1 byte MDC method (should be 2 to match SHA, or 0 to disable MDC)
This one worries me. It allows an attacker to turn a 2 into a 0.
I would not have "disable MDC" at all.
Also,
is there an implication that it can be something other than 2 or 0?
Absolutely - like 3 for HAVAL, 5 for <whatever>...
If so, this again offers an attacker more opportunities to
mess with the receiver. The attacker could change the hash algorithm to
something like 6. Now the receiver doesn't know if this is a legitimate
message from a later version of PGP that supports hash algorithm 6, or
whether it is a messed up message by an attacker. If we choose a fixed
hash algorithm this ambiguity cannot arise.
True. So it is up to the group to decide if the extra flexibility of
permitting several hash-functions is worth this potential attack...
I would prefer to leave this field out. If you use the new packet format
at all, you get the MDC, using a fixed hash of SHA-1.
Quite acceptable, if you ask me.
n byte random data used as IV (n=blocksize of the cipher)
OK. I continue to believe that a *conventional* IV is most desirable in
terms of explaining what we are doing to others in the field. The "pseudo
IV" we have now is hard to explain.
1. A conventional IV is less desirable from security point of view.
2. If you have trouble explaining this approach to others in the
field - I suggest that those others are in the wrong field.
--
Regards,
Uri uri(_at_)watson(_dot_)ibm(_dot_)com
-=-=-=-=-=-=-
<Disclaimer>