A coming attack on PGP, and a way to mitigate it

Daniel Franke df at dfranke.us
Mon May 4 07:06:04 CEST 2009

David Shaw <dshaw at jabberwocky.com> writes:

> Drat, I made the same error.  The nonce would have to be much earlier
> in the stream of bits being hashed to be useful.  Ah well, it was too
> good to be true :)

It's a pity, really.  We're foiled by what's almost certainly nothing
more than a thoughtless accident in the design of the protocol.  Perhaps
this remains something to consider for the next protocol revision.  I
can't think of any fundamental reason that PGP must necessarily be
exploitable by birthday attacks of any sort, although I'm talking
somewhat out of my depth in making this assertion.

>> Did you receive it but overlook it before writing this response, or
>> did it get dropped?
> Interesting.  I never got it at all.

Curse you, Mallory -- I know you're reading this!

 Daniel Franke         df at dfranke.us         http://www.dfranke.us
 |----| =|\     \\\\    
 || * | -|-\---------   Man is free at the instant he wants to be. 
 -----| =|  \   ///     --Voltaire
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: </pipermail/attachments/20090503/d91512ad/attachment.pgp>

More information about the Gnupg-devel mailing list