Differences

This shows you the differences between two versions of the page.

--- pgpfan:no_new_ae [2023/12/27 01:00] – [Conclusion] We have a list of example problems now b.walzer
+++ pgpfan:no_new_ae [2024/01/06 16:33] – [Hash then encrypt is generically insecure] removed link to weak article b.walzer
@@ Line 97: / Line 97: @@
 ===OpenPGP's OCFB-MDC is inferior because it falls into the class of INT-PTXT instead of the class of INT-CTXT===
-This is essentially the idea that hash then encrypt is inferior expressed in the language of theoretical cryptography. This is covered in a separate article: [[pgpfan:intptxt]].
+This is essentially the idea that hash then encrypt is inferior expressed in the language of theoretical cryptography. Since we know the design of OCFB-MDC we can address this directly.
+Because of that design you have to decrypt the message/file first before checking for any changes. So there is a risk that the message/file might leak or be caused to leak during that check. After the check you can blow up with an error if you want and prevent any further chance of a leak.
+The check here is the hash called SHA-1. As with most hashes, the time taken is not affected by the content that is being checked. It would be pretty much impossible to make the time taken depend on the content by accident. Since this is a hash, it acts to destroy the meaning of the content to prevent the hash from being reversed. So some sort of side channel leak is very unlikely.
 ====OpenPGP does not have authenticated encryption. Everything needs authenticated encryption.====