The Call of the Open Sidewalk

From a place slightly to the side of the more popular path

User Tools

Site Tools


pgpfan:tpp

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revisionBoth sides next revision
pgpfan:tpp [2022/06/06 19:02] – Clearer wording. b.walzerpgpfan:tpp [2022/08/21 12:33] – "would of" b.walzer
Line 42: Line 42:
 >The “new format” packets have variable-length lengths, like BER (try to write a PGP implementation and you may wish for the sweet release of ASN.1). >The “new format” packets have variable-length lengths, like BER (try to write a PGP implementation and you may wish for the sweet release of ASN.1).
  
-For part of my working life I had to implement low level protocols from specifications of various kinds. If I had of encountered the OpenPGP packet structure I would of considered implementing to be a relatively good time. The reader is invited to experience the overwhelming complexity of the OpenPGP packet structure. It is defined in [[https://datatracker.ietf.org/doc/html/rfc4880#section-4|section 4 of RFC-4880]]. The definition is all of 4 pages long. It includes code examples for each case of the length extension and a complete list of possible tags.+For part of my working life I had to implement low level protocols from specifications of various kinds. If I had of encountered the OpenPGP packet structure I would have considered implementing to be a relatively good time. The reader is invited to experience the overwhelming complexity of the OpenPGP packet structure. It is defined in [[https://datatracker.ietf.org/doc/html/rfc4880#section-4|section 4 of RFC-4880]]. The definition is all of 4 pages long. It includes code examples for each case of the length extension and a complete list of possible tags.
  
 >The most recent keyserver attack happened because GnuPG accidentally went quadratic in parsing keys, which also follow this deranged format. >The most recent keyserver attack happened because GnuPG accidentally went quadratic in parsing keys, which also follow this deranged format.
Line 115: Line 115:
 >Trevor Perrin worked the SEIP out to 16 whole bits of security. >Trevor Perrin worked the SEIP out to 16 whole bits of security.
  
-This was wrong, but it was not Trevor Perrin's error. It turned out that the specification was wrong. Trevor Perrin was insightful enough to notice that the system described in the specification was vulnerable to this particular attack. The specification was corrected to what the implementations were actually doing and the vulnerability went away. This discussion was from the IETF OpenPGP standard mailing list(([[https://mailarchive.ietf.org/arch/msg/openpgp/UYEBC7hnZNbMoNWrfz9zJQb_FUk/|The ITEF OpenPGP discussion thread about the security properties of the MDC.]])). If any actual MDC weaknesses had come from the discussion then they would of been resolved at that time. There is no reason to think that there is anything wrong with the MDC. This discussion was part of the process intended to ensure that the MDC is secure.+This was wrong, but it was not Trevor Perrin's error. It turned out that the specification was wrong. Trevor Perrin was insightful enough to notice that the system described in the specification was vulnerable to this particular attack. The specification was corrected to what the implementations were actually doing and the vulnerability went away. This discussion was from the IETF OpenPGP standard mailing list(([[https://mailarchive.ietf.org/arch/msg/openpgp/UYEBC7hnZNbMoNWrfz9zJQb_FUk/|The ITEF OpenPGP discussion thread about the security properties of the MDC.]])). If any actual MDC weaknesses had come from the discussion then they would have been resolved at that time. There is no reason to think that there is anything wrong with the MDC. This discussion was part of the process intended to ensure that the MDC is secure.
  
 >And, finally, even if everything goes right, the reference PGP implementation will (wait for it) release unauthenticated plaintext to callers, even if the MDC doesn’t match. >And, finally, even if everything goes right, the reference PGP implementation will (wait for it) release unauthenticated plaintext to callers, even if the MDC doesn’t match.
pgpfan/tpp.txt · Last modified: 2023/12/19 13:21 by b.walzer