[144654] in cryptography@c2.net mail archive
Re: XML signature HMAC truncation authentication bypass
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Tue Jul 28 20:09:13 2009
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: jon@callas.org, pgut001@cs.auckland.ac.nz
Cc: cryptography@metzdowd.com, lmeiners@gmail.com
In-Reply-To: <2735B4A2-15E9-430A-ABCA-AD5195C48CE9@callas.org>
Date: Wed, 29 Jul 2009 03:58:48 +1200
Jon Callas <jon@callas.org> writes:
>Okay, password-protected files would get it, too. I won't ask why you're
>sending password protected files to an agent.
They're not technically password-protected files but pre-shared key (PSK)
protected files, where the keys have a high level of entropy (presumably 128
bits, but I don't know the exact figure). So in this case the S2K isn't
actually necessary because of the choice of password/PSK used.
(Sorry, for non-OpenPGP folks "S2K" = "string to key", a parameterised way of
processing a password, for example by iterated hashing with a salt, into a
key).
>By the way, do you think it's safe to phase out MD5? That will break all the
>PGP 2 users.
The answer depends on what sort of user base you expect to have to support.
In my case I disable things that I don't think get used much in betas and see
if anyone complains. If no-one does, it remains disabled in the final
release. Now if only I could rearrange this process so I didn't have to
implement support for assorted practically-unused mechanisms in the first
place...
This is another interesting philosophical debate: What do other people do in
terms of deprecating obsolete/insecure/little-used mechanisms? Deprecate by
stealth? Flag day? Support it forever?
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
