pgpfan:mdc
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
pgpfan:mdc [2022/05/28 20:54] – [A Less Intuitive, More Technical Explanation] Awkward phrasing b.walzer | pgpfan:mdc [2022/07/18 22:58] – [The OpenPGP Modification Detection Code is Actually Good] b.walzer | ||
---|---|---|---|
Line 48: | Line 48: | ||
All that was required to make the MDC was the addition of a single hash. The MDC is actually an example of minimalist and appropriate design. | All that was required to make the MDC was the addition of a single hash. The MDC is actually an example of minimalist and appropriate design. | ||
- | I am not a professional cryptographer, | + | I am not a professional cryptographer, |
The combination of OCFB and MDC is effectively authenticated encryption. It detects changes in messages based on the shared secret of the encryption key. There is a definition of authenticated encryption that makes refusal to release suspect data mandatory, but that is not relevant for the sort of offline applications that OpenPGP is used for. There is only one encrypted message/ | The combination of OCFB and MDC is effectively authenticated encryption. It detects changes in messages based on the shared secret of the encryption key. There is a definition of authenticated encryption that makes refusal to release suspect data mandatory, but that is not relevant for the sort of offline applications that OpenPGP is used for. There is only one encrypted message/ | ||
Line 56: | Line 56: | ||
The MDC uses the SHA1 method for the hash. Not everyone knows that the discovered weakness in SHA1 is irrelevant to the MDC. I suppose you could redefine it as the "MDC hash" and specify that it only needs to be irreversible to prevent unnecessary angst. In general, the MDC is likely to be resistant to weaknesses in the hash due to the fact that the stored hash is encrypted and randomized by the random data which makes it very hard to mess with. | The MDC uses the SHA1 method for the hash. Not everyone knows that the discovered weakness in SHA1 is irrelevant to the MDC. I suppose you could redefine it as the "MDC hash" and specify that it only needs to be irreversible to prevent unnecessary angst. In general, the MDC is likely to be resistant to weaknesses in the hash due to the fact that the stored hash is encrypted and randomized by the random data which makes it very hard to mess with. | ||
- | The MDC is secure and is well suited to the sort of offline encryption that the OpenPGP standard embodies. Proposals to add one or more encrypted authenticated modes and depreciate the MDC don't make sense to me. We would be better off if we simply did nothing. | + | The MDC is secure and is well suited to the sort of offline encryption that the OpenPGP standard embodies. |
=====A Less Intuitive, More Technical Explanation===== | =====A Less Intuitive, More Technical Explanation===== |
pgpfan/mdc.txt · Last modified: 2023/12/11 13:30 by b.walzer