XML signature HMAC truncation authentication bypass

Peter Gutmann pgut001 at cs.auckland.ac.nz
Tue Jul 28 11:58:48 EDT 2009

Jon Callas <jon at callas.org> writes:

>Okay, password-protected files would get it, too. I won't ask why you're
>sending password protected files to an agent.

They're not technically password-protected files but pre-shared key (PSK)
protected files, where the keys have a high level of entropy (presumably 128
bits, but I don't know the exact figure).  So in this case the S2K isn't
actually necessary because of the choice of password/PSK used.

(Sorry, for non-OpenPGP folks "S2K" = "string to key", a parameterised way of
processing a password, for example by iterated hashing with a salt, into a

>By the way, do you think it's safe to phase out MD5? That will break all the
>PGP 2 users.

The answer depends on what sort of user base you expect to have to support.  
In my case I disable things that I don't think get used much in betas and see 
if anyone complains.  If no-one does, it remains disabled in the final 
release.  Now if only I could rearrange this process so I didn't have to 
implement support for assorted practically-unused mechanisms in the first 

This is another interesting philosophical debate: What do other people do in 
terms of deprecating obsolete/insecure/little-used mechanisms?  Deprecate by 
stealth?  Flag day?  Support it forever?


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list