XML signature HMAC truncation authentication bypass
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Jul 28 11:58:48 EDT 2009
Jon Callas <jon at callas.org> writes:
>Okay, password-protected files would get it, too. I won't ask why you're
>sending password protected files to an agent.
They're not technically password-protected files but pre-shared key (PSK)
protected files, where the keys have a high level of entropy (presumably 128
bits, but I don't know the exact figure). So in this case the S2K isn't
actually necessary because of the choice of password/PSK used.
(Sorry, for non-OpenPGP folks "S2K" = "string to key", a parameterised way of
processing a password, for example by iterated hashing with a salt, into a
key).
>By the way, do you think it's safe to phase out MD5? That will break all the
>PGP 2 users.
The answer depends on what sort of user base you expect to have to support.
In my case I disable things that I don't think get used much in betas and see
if anyone complains. If no-one does, it remains disabled in the final
release. Now if only I could rearrange this process so I didn't have to
implement support for assorted practically-unused mechanisms in the first
place...
This is another interesting philosophical debate: What do other people do in
terms of deprecating obsolete/insecure/little-used mechanisms? Deprecate by
stealth? Flag day? Support it forever?
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list