[149213] in cryptography@c2.net mail archive
Re: [Cryptography] Does PGP use sign-then-encrypt or
daemon@ATHENA.MIT.EDU (Werner Koch)
Thu Jan 23 12:52:51 2014
X-Original-To: cryptography@metzdowd.com
From: Werner Koch <wk@gnupg.org>
To: Peter Todd <pete@petertodd.org>
In-Reply-To: <20140122175708.GA30647@savin> (Peter Todd's message of "Wed, 22
Jan 2014 12:57:08 -0500")
Date: Thu, 23 Jan 2014 16:36:30 +0100
Cc: cryptography@metzdowd.com, Derek Atkins <derek@ihtfp.com>,
Stephan Neuhaus <stephan.neuhaus@tik.ee.ethz.ch>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Wed, 22 Jan 2014 18:57, pete@petertodd.org said:
> GnuPG at least does sign-then-encrypt, and for good reason. Consider
> the following encrypted message:
Right, this is the de-facto standard since PGP 2. PGP/MIME (RFC-3156)
also demands sign-then-encrypt.
In addition OpenPGP demands the use of an MDC (manipulation detection
code) which is the SHA-1 hash of the plaintext appended to the plaintext
before the encryption. It is not the best thing one could do but it
mitigates many attacks on the CFB mode. The MDC feature is widley
deployed since its introduction in in 2000 (GnuPG 1.0.2, PGP 7).
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
