[Top] [All Lists]

RE: [Cfrg] OpenPGP security analysis

2002-09-17 10:24:51

From: Michael Young [mailto:mwy-opgp97(_at_)the-youngs(_dot_)org]

But if this is the scenario, then two facts complicate the attack:
   M and M' must be formatted as OpenPGP packets; and,

you're right, this does complicate the attack - it means that in the simple
truncation attack (where the evil message ciphertext is just a truncation of
the innocuous message ciphertext) the decrypted literal packet data length
will be wrong.

Unless there's a way to get around that, the only attack I see, then,
requires the attacker to inject make-believe check bytes and OpenPGP packet
formatting, and thus will succeed with probability only 2^-16 cause the
check bytes will probably turn out wrong.