ietf-openpgp
[Top] [All Lists]

Re: [Sam Hartman] Openpgp comments

2006-09-18 13:05:26

Derek forwards from Sam Hartman of IETF:
However Russ and I have two large issues that we need fixed before I can 
bring the document to the IESG.

The first is the lack of IANA registries....

It sounds like we can use some boilerplate language here without much
difficulty.

The second issue is the encryption with integrity packet.  Today this
is hard-wired to use SHA-1.  That's not OK.  We need an upgrade path
for that and I think we need to support SHA-256 now.

This is a major setback.  It took years to get this change in place, the
whole issue of compatibility and installed base of software that doesn't
recognize the new packet formats.  I wonder if we could add a new set of
MDC packets as the "upgrade path" while retaining the old ones.  Then we
can gradually switch over to using the new ones over the next few years.
In that case we could change the draft expeditiously without commiting to
an immediate changeover in fielded implementations.

If we do pursue this, given the subsequent cryptographic progress since we
designed the MDC mechanism, we should probably look at the now-standard
mechanism of doing a keyed MAC over the ciphertext, rather than using
an encrypted hash of the plaintext.  The MAC could be HMAC with a hash
algorithm specifier for future upgrade.  The paper that first analyzed
this construction is: http://www-cse.ucsd.edu/~mihir/papers/oem.html .
It uses CBC mode, however the proof probably goes through for CFB mode
as well - the modes have similar security properties.

Hal Finney

<Prev in Thread] Current Thread [Next in Thread>