|
|
|
|
|
|
by tptacek
3905 days ago
|
|
|
The flaw he appears to be talking about is that the OpenPGP MDC doesn't cover metadata; the message must be parsed to recover the authenticator before the authenticator can be checked, and so the ciphertext is malleable. The properties he's talking about for CFB are largely true of CTR as well (the gold standard in streaming modes). I think, by suggesting PGP use a "different mode", he may instead mean it would be better if PGP used an authenticated encryption mode. Authentication is a weak spot for PGP, since its design predates much of authenticated cryptography. |
|
|
As an aside, I'm surprised this got posted to cryptography@metzdowd, the S/N on that list is so low I'm surprised anyone still bothers to read it.