[woodruffw]

I’ve read this response before, and I don’t think it’s great: it makes claims about time-testedness and simplicity that on first glance apply to PGP, but in reality are either outright wrong (the results against MDC instead of true AEAD are in, and it’s a fail) or misleading in their conclusions (a “simple” packet structure that encourages EXPTIME parsing is not actually simple).

The assumption underlying much of the post is that PGP is only used in offline, stateless applications. This would make the arguments stronger, except that it isn’t true[1].

[1]: https://delta.chat/en/

[upofadown]

>...the results against MDC instead of true AEAD are in, and it’s a fail...

It's really OCFB-MDC. It's only a authenticated mode when the two things are used together (like GCM). It doesn't provide protection of associated data (the AD part of AEAD) but that isn't something that seems to be potentially useful for the stuff that the OpenPGP standard is used for. I don't know what "true AEAD" means in this context. As a user I only care that the OCFB-MDC mode is actually secure. I am not interested in any philosophical aspects.

The stuff about offline stateless applications only adds to the argument. A version of OCFB-MDC could be used, for say, TLS and would be expected to be secure.

[woodruffw]

> It doesn't provide protection of associated data (the AD part of AEAD) but that isn't something that seems to be potentially useful for the stuff that the OpenPGP standard is used for.

It isn't sensible to assert this, because people use OpenPGP in all kinds of crazy ways. One of the recurring headaches in applied cryptographic engineering is discovering that people do, in fact, attempt to use PGP for instant messaging (per above), as a TLS certificate delivery mechanism, etc. These are contexts where the use of an AEAD is frequently appropriate.

> As a user I only care that the OCFB-MDC mode is actually secure.

In practice, it has not been[1]. PGP's decision to use MDC instead of a real MAC is a classic example of home-rolled primitives being conceptually algebraically sound but broken in user settings. The solution here is simple: OpenPGP is not special, and should use a MAC or AEAD mode like everyone else does. It also shouldn't release the plaintext until the authentication tag is actually validated, which was another profound historic breakage with MDC.

[1]: https://mailarchive.ietf.org/arch/msg/openpgp/w4i30aLplh91iw...

[upofadown]

You posted a link to the email where Trevor Perrin acknowledged that the corrected specification was secure.

>PGP's decision to use MDC instead of a real MAC...

The MDC can be interpreted as a MAC. The hash is first seeded with a MAC key (the "random block"). So a boring old hash MAC. SHA-1 is vulnerable to length extension attacks but that is not an issue here as the attacker never gets access to the state of the hash (everything is encrypted). I guess this could be considered an advantage of MAC then encrypt. The only property the hash requires is that the MAC key will be propagated to the check value in such a way that it is indistinguishable from random. So SHA-1 is wild overkill here.