Jon Callas <jon(_at_)callas(_dot_)org> writes:
But when you do, take into account that MDC pre-dates HMAC
"Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG" was
published at ISC'02, the MDC mechanism appeared in OpenPGP drafts around
2000-2001. "Keying Hash Functions for Message Authentication" dates from
1996, predating even the original OpenPGP spec (RFC 2440 from 1998, which
doesn't mention MDC).
Standards are compromises, and a good compromise leaves everyone a bit
grumpy. Since those days, I’ve developed an affection for MDC because it sits
in a nether world where related concepts like deniable encryption that also
sound good until you think about them for long enough.
See "The Order of Encryption and Authentication for Protecting Communications
(Or: How Secure is SSL?)?" from Crypto'01.
openpgp mailing list