[Bodo Moeller <bodo at openssl.org>] OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with CBC encryption

[Bill Frantz]

At 7:55 AM -0800 2/25/03, Bodo Moeller wrote:
>On Tue, Feb 25, 2003 at 10:41:51AM -0500, Anton Stiglic wrote:
>> Pad-t-MAC-t-encrypt sounds like an interesting avenue, but why
>> would you propose that for TLS 1.1 instead of just proposing the safe
>> Pad-t-Encrypt-t-MAC?  If there is going to be a change,
>> might as well go with something that is provably secure, or is there some
>> reason (compatibility or something) to prefer Pad-t-MAC-t-Encrypt
>> that I do not see here?
>
>For CBC (with explicit IVs, which we don't yet have in SSL 3.0 and
>TLS 1.0) and for stream ciphers, both variants achieve probable
>security.  The reason to prefer pad-then-MAC-then-encrypt is just
>compatibility -- more specifically, ease of implementation (having
>an improved protocol is much more useful if it makes it into many
>actual products).

I have always preferred to have the MAC check as much of the transfer logic
as possible.  If you pad-then-MAC-then-encrypt, then the MAC checks both
the encryption and decryption stages.  If you MAC last, all the MAC checks
is whether errors have been introduced into the transmission (by an
attacker or just through failure of the TCP checksum).

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz           | Due process for all    | Periwinkle -- Consulting
(408)356-8506         | used to be the         | 16345 Englewood Ave.
frantz at pwpconsult.com | American way.          | Los Gatos, CA 95032, USA



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com