[Cryptography] On the Impending Crypto Monoculture

Ray Dillinger bear at sonic.net
Fri Mar 25 19:06:49 EDT 2016



On 03/24/2016 10:27 PM, Andrew Donoho wrote:

> 	In my app's code, I’ve only used AES-256-CBC, SHA-256, HMAC-SHA-256, and RSA-2048. (Yes, I use encrypt then MAC.) 

Okay, just in case you're new to the crypto-code game I have to
bring this up.  Encrypt-then-MAC really *is* superior to MAC-then-
encrypt, but you've got to be careful not to fall in one narsty
little pothole next to the road.

That pothole is this:  Alice prepares a message for Bob, which
she MACs, then encrypts.  She sends it to Bob, and he strips
her MAC off of it, puts his own MAC on it, re-encrypts, and
sends it to Carol pretending it's a message to Carol from Bob.

Now this sounds like a dumb thing that could never happen because
Carol wouldn't really be fooled by a message from the wrong origin
bearing the wrong MAC, even if the origin and MAC she actually gets
it from do go together.  But, assuming Carol is running an honest
node (your code?) look at the code for it.  Would she be fooled?
How would she react?

When we're talking about protocol messages, they tend to be a heck
of a lot simpler and harder to tell apart aside from the MAC. Stunts
like this are at the top of the list when people are working out how
to MITM or DoS various protocols or provoke informative responses
(or non-responses!) from other nodes, or block other nodes from
replying to each other, or etc.

So it's a pothole, and you need to be sure that nothing you build
is vulnerable to it - just using encrypt-then-mac solves some
problems but doesn't solve every problem.  You also need to build
in a good reason why nobody will ever be fooled by the *wrong* MAC,
and know exactly how the same message from different users will
be detected and dealt with.

				Bear


				

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160325/ee7a630c/attachment.sig>


More information about the cryptography mailing list