|
|
|
|
|
|
by upofadown
808 days ago
|
|
|
You posted a link to the email where Trevor Perrin acknowledged that the corrected specification was secure. >PGP's decision to use MDC instead of a real MAC... The MDC can be interpreted as a MAC. The hash is first seeded with a MAC key (the "random block"). So a boring old hash MAC. SHA-1 is vulnerable to length extension attacks but that is not an issue here as the attacker never gets access to the state of the hash (everything is encrypted). I guess this could be considered an advantage of MAC then encrypt. The only property the hash requires is that the MAC key will be propagated to the check value in such a way that it is indistinguishable from random. So SHA-1 is wild overkill here. |
|
|