Re: CMR/ARR and OpenPGP (Re: What this WG is doing)

[Adam Back <aba@xxxxxxxxxxxx>]

I wrote:
> Bill Stewart <stewarts@xxxxxxxxxxxxx> writes:
> > Unfortunately, it does look like the new format uses 64-bit KeyIDs
> > for these fields, and a 0xdeaddeaddeadbeef attack is a few billion
> > times harder than a 0xdeadbeef attack, which could otherwise fool it :-)
> 
> I think it's much harder to fool than you're thinking -- 
                    ^^^^^^

Above sentence is in error, I meant much _easier_ to fool; probably
obvious from the following text anyway...

> it doesn't
> decrypt the data, and so it can't attempt in anyway to verify the
> contents of the PKE.  (It could somewhat with binding cryptography,
> but I understand this is not currently used).
> 
> So I think if you get an ARR request for 64 bit key (or 128 bit key,
> or whatever) 0x12345781234578 well you just create the second
> recipient PKE field like so:
> 
> [ARR key-id][length-header][garbage]
> 
> and it will go flying through, right?  No 0xdeadbeef or longer cousin
> attacks required.
> 
> (Suggestions for human readable ASCII to put in the garbage field
> accepted on a postcard:-)

Adam
-- 
Now officially an EAR violation...
Have *you* exported RSA today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`