(3/3)
Countermeasures for developers/OpenPGP standard: (1) avoid #KOKV attacks by OpenPGP specification not leaving the task of confirming key #integrity to individual #implementations. (2) Use an #AEAD scheme (3). Deprecating #ElGamal encryption option in OpenPGP spec.

Paper & Info: https://www.kopenpgp.com/
#OpenPGP #PGP #E2E #Encryption #Verschlüsselung #KeyOverwritingAttack #KO

@liw Not entirely. My scenario involves using the decryptor in a pipe, both for the data coming in and the data going out. A signature over the entire file of course can't be verified until the entire file's processed, so at best it could withhold just the last block of data. AFAICT, #AEAD/#HMAC can apply to each block, and thus can prevent even one byte of un-authenticated data from being output. So, I think #age can promise to never emit unauthenticated data, but #OpenPGP can't.