On 8 March 2016 at 06:56, Neal H. Walfield <neal(_at_)walfield(_dot_)org> wrote:
Hi,
I recently took a look at the Mister and Zuccherato attack on the
quick integrity check in encrypted packets (i.e., that the last two
bytes of the IV are correctly repeated)and I have two suggestions for
RFC4880bis.
The attack relies on finding the correct values for the quick
integrity check using an exhaustive search. This can be defeated by
making an exhaustive search unfeasible. Concretely, instead of just
copying the last two bytes of the random IV, we replicate the whole
IV.
If we use a chunked AEAD mode that is safe for streaming (which I
think we should) - can we just do away with the quick check entirely?
-tom
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp