I think one has to consider the attacker may know the hash, and also
given the recent issues around SHA1 be able to with some effort
compute related hashes of modified documents, tho at present with many
limtiations.
With that background, CFB and CBC encryption remain quite malleable,
and a number of surprising things have been shown to be possible
through it in attacks on other protocols. (Part of the reason for
introducing the MDC!)
Personally I think its just more conversative to use a MAC, like
HMAC-SHA1 with a separate key.
Adam
On Mon, Dec 11, 2006 at 04:09:13PM +1300, Peter Gutmann wrote:
Subject line says it all, is there any published analysis of the
strengths/weaknesses of OpenPGP's use of MDCs (encrypted SHA-1 hash) for
private keys and data? I've seen various informal arguments that it should be
OK (and also informal ones that it may not be OK), but nothing definitive.
Peter.