no error returns when a wrong key/iv is used for decrypting

Werner Koch wk at
Fri Feb 18 08:59:43 CET 2011

On Fri, 18 Feb 2011 02:24, nmav at said:

> This is ok if a quick verification is required, but if malicious
> parties are expected, then this method is dangerous. That is because

It all depends on how you employ it.  We all know that providing an
oracle can be dangereous.  In OpenPGP this is not the case given that it
is properly implemented.  See the OpenPGP WG archives from 1998 or so
for lengthly discussions on this topic.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gcrypt-devel mailing list