Hacker News new | ask | show | jobs
by tptacek 2547 days ago
PGP has semi-optional, strippable authenticators. Serious cryptographic protocols do not. Plaintext encrypted with a modern AEAD cipher --- forget protocols, here we're just talking about selecting reasonable primitives --- can't be decrypted without simultaneously authenticating. That's not how PGP (or S/MIME) works, and that malleability led to Efail.

No competent engineer would accept in 2019 (or, for that matter, 2009) a new cryptosystem that functioned the way PGP does.
1 comments
dewyatt 2541 days ago
The OpenPGP RFC bis does add AEAD. The spec is overall much too flexible IMO and could use some modernization, but I don't see it as un-salvageable, as you seem to.
link
tptacek 2537 days ago
OpenPGP is unsalvageable. One of the core goals of modern cryptography is to eliminate backwards compatibility with insecure 1990s crypto; OpenPGP instead lovingly preserves it.
link
dewyatt 2537 days ago
Much of that could be solved by an implementation having user-controlled policies that whitelist/blacklist sets of algorithms. An implementation could be made with a sane default policy.

Of course, some things ought to just be replaced (S2K).

link