On Tue, 18 May 1999 hal(_at_)rain(_dot_)org wrote:
5.X. Symmetrically Encrypted Integrity Protected Data Packet (Tag 15)
[...]
The data is encrypted in CFB mode, with a CFB shift size equal to
the cipher's block size. The Initial Vector (IV) is specified as
all zeros. Instead of using an IV, OpenPGP prefixes an octet string
to the data before it is encrypted. The length of the octet string
equals the block size of the cipher in octets, plus two. The first
octets in the group, of length equal to the block size of the cipher,
are random; the last two octets are each copies of their 2nd preceding
octet. For example, with a cipher whose block size is 128 bits or 16
octets, the prefix data will contain 16 random octets, then two more
octets, which are copies of the 15th and 16th octets, respectivelly.
Unlike the Symmetrically Encrypted Data Packet, no special CFB
resynchronization is done after encrypting this prefix data.
Hal,
thanks for putting up this proposal. I think it provides a step into the
right direction.
Why don't we repeat the version number (and maybe even the packet tag)
after the two check bytes? Or would this give too much plaintext away?
Although I do understand your concerns against selecting an MDC or even
allowing to turn it off, I would like to see some selection mechanism
included, either for specialized devices or in case some problem shows up
with SHA-1 (e.g. political or cryptanalytical). Wouldn't tampering become
close to impossible if we included the algorithm byte both in the plain
header and repeated it after the CFB?
Even if the algorithm ID was included only in the plain section, the
receiving implementation could flag unknown or weak algorithms as "has
possibly been tampered with".
-Marcel