pgpfan:no_new_ae
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
pgpfan:no_new_ae [2023/12/27 01:00] – [Conclusion] We have a list of example problems now b.walzer | pgpfan:no_new_ae [2024/01/06 16:41] – [Hash then encrypt is generically insecure] closer b.walzer | ||
---|---|---|---|
Line 97: | Line 97: | ||
===OpenPGP' | ===OpenPGP' | ||
- | This is essentially the idea that hash then encrypt is inferior expressed in the language of theoretical cryptography. | + | This is essentially the idea that hash then encrypt is inferior expressed in the language of theoretical cryptography. |
+ | |||
+ | Because of that design you have to decrypt the message/ | ||
+ | |||
+ | The check here is the hash called SHA-1. As with most hashes, the time taken is not affected by the content that is being checked. It would be pretty much impossible to make the time taken depend on the content by accident. Since this is a hash, it acts to destroy the meaning of the content to prevent the hash from being reversed. So some sort of side channel leak is very unlikely. | ||
+ | |||
+ | So when someone brings up the fact that OCFB-MDC is INT-PTXT they are really saying they think that a hash operation might leak information. They would have to come up with some idea of how that might happen. | ||
====OpenPGP does not have authenticated encryption. Everything needs authenticated encryption.==== | ====OpenPGP does not have authenticated encryption. Everything needs authenticated encryption.==== |
pgpfan/no_new_ae.txt · Last modified: 2024/01/29 13:21 by b.walzer