On Mon, 5 Oct 2015 16:07, jonas(_dot_)magazinius(_at_)assured(_dot_)se said:
predictable message structure, it is possible to switch the SEIP tag to
SE, strip the MDC (and signature), and align and manipulate the
protection has been questioned now and then over the years [1,2], but
it's been maintained that it is secure against this kind of attack [3].
Well, I assumed that this is the case (my "Yes") but in the next mail
Trevor explained that this is not true. More important however is my
remark that we need to get MDC deployed so that we can issue an error
for non MDC packets instead of just a warning.
AFAIK, there are still implementations not supporting MDC and a small
number of folks loudly complaining when I removed PGP-2 support.
A large part of the problem here is due to CFB mode, but it seems we're
stuck with that. It would make sense to use a different mode, but again
I understand the legacy issues.
One of the goals of 4880bis is:
- A symmetric encryption mechanism that offers modern message
integrity protection (AEAD)
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp