Isn't this great? I can put myself "in the room" when they decided not to do a full transcript MAC. The SSL3 transcript hash is annoying! It was the first protocol I personally encountered that did that. And what are you trying to protect? A key exchange, right? Why not just create a mechanism that catches the inputs to the key exchange, authenticates them, and ignores everything else? Everything else is just a vehicle for communicating those inputs.
So like, you could imagine yourself looking at the SSL 3.0 "Finished" message and the SSH "Exchange Hash" and asking yourself, why do the complicated thing? The SSH thing seems to work!
And: if you asked yourself that, like, in 2013, you could go on believing for ten years that everything was fine, and SSH just found a clever way to do handshake integrity less cumbersomely than SSL 3.0.
There's like an obvious lesson here about PGP and the MDC, right?
ChaPoly was added in 2013, but the weird KEX is even older, dating back all the way to 1998 in SSHv2. And surprisingly, the attack only works with the "better" symmetric ciphers that do INT-CTXT instead of INT-PTXT.
>There's like an obvious lesson here about PGP and the MDC, right?
Not sure that all the readers will already know about our constant quibbling about the security of the MDC. I have in the past suggested that the fact that the MDC has remained unbroken for 20+ years is evidence that it is secure.
Interestingly enough, I have recently stumbled across a paper[1] that shows that preventing an attacker from computing the hash is important for insuring the security of hash than encrypt schemes like the MDC. OpenPGP does that by preseeding the hash with a random, encrypted value.
So does that mean that the MDC is secure? Unfortunately, when you come up with a set of requirements for security, you have to use your knowledge of existing attacks. You don't get to know about about future attacks. So the fact that a particular construct has never been broken over a long time is in a sense the only objective evidence available.
The MDC thing has nothing to do with you. It's a perennial complaint among cryptographers about how PGP's design has escaped modernity. It's weird that you think HN is somehow the center of that phenomenon.
It's an archaic premodern construction that cryptographers hate but that hasn't been demolished in a paper yet, in part because lots of people use SSH and very few people seriously use PGP. I'm confused, though: what would it have to do with you?
So like, you could imagine yourself looking at the SSL 3.0 "Finished" message and the SSH "Exchange Hash" and asking yourself, why do the complicated thing? The SSH thing seems to work!
And: if you asked yourself that, like, in 2013, you could go on believing for ten years that everything was fine, and SSH just found a clever way to do handshake integrity less cumbersomely than SSL 3.0.
There's like an obvious lesson here about PGP and the MDC, right?