-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On May 4, 2009, at 7:46 PM, Peter Gutmann wrote:
Daniel Kahn Gillmor <dkg(_at_)fifthhorseman(_dot_)net> writes:
What do other folks think?
Given that the MDC is a hash of plaintext that's then encrypted, and
the hash
value is itself encrypted, I'm not losing any sleep over it. The
hash attacks
so far have required bit-for-bit carefully-chosen plaintext with
known hash
values, not unknown (or even partially-known) plaintext with an
unknown hash
value.
I'm not losing a lot of sleep over it, either.
The point of the MDC is to provide a low-level integrity check.
There's an easy high-level integrity check, a digital signature. The
MDC exists for people who don't want to sign, but do want more
protection than naked CFB mode, which is completely vulnerable to
truncation.
The construction we use is not "secure". I put scare quotes around it
for a reason. In particular, it's vulnerable to existential forgeries.
However, every spam in the world is an existential forgery, and if you
wanted to send an MDC forgery to someone, it's much easier to just
write the message and encrypt it to them than modifying an existing
message. What that means is that while there are some protocols that
really have to worry about existential forgeries (like IPsec), we're
really not one of them, especially since there's always signing for us.
In 4880, we described how one might upgrade the MDC. If someone
believes it's important, I would support anyone writing a draft for an
upgraded MDC. (But as an implementer, I can't make a statement as to
when or if PGP would implement it.)
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.6.3
Charset: US-ASCII
wj8DBQFKAHrqsTedWZOD3gYRAo0BAJ4maMvMTEHDIiJBQ+ry3VuUt3gW7gCglCkE
0nX3EUzYQ+alsPjef8RSeE4=
=Tq6M
-----END PGP SIGNATURE-----