MDC and GnuPG as a filter

David Shaw dshaw@jabberwocky.com
Mon Aug 12 16:25:02 2002


On Mon, Aug 12, 2002 at 03:59:06PM +0200, Florian Weimer wrote:
> It looks as if an application should start processing the decrypted
> data only after the MDC packet has been verified.  (Have a look at
> this paper: http://www.counterpane.com/pgp-attack.html -- most of you
> probably know it already.)
> 
> Unfortunately, this breaks one-pass processing for OpenPGP data.  The
> whole plaintext has to be stored, and in general, processing can only
> begin after all data has been received. :-(

This is true, but the onus is on the application to handle this
correctly, and not GnuPG.  GnuPG already does the right thing by
reporting a MDC failure as a decryption error.  If the application
chooses to ignore this, that's a bug in the application.  I agree it
would be nice to not generate any data at all when there is a MDC
failure, but as you say, it would mean no more one-pass processing.

Incidentally, if that paper is the same one that I saw, the section
about a GnuPG-specific attack is erroneous.  I sent a correction to
the authors, but unfortunately it did not arrive in time for the
conference deadline.

David

-- 
   David Shaw  |  dshaw@jabberwocky.com  |  WWW http://www.jabberwocky.com/
+---------------------------------------------------------------------------+
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson