[Cryptography] On the Impending Crypto Monoculture

Jonathan Katz jkatz at cs.umd.edu
Sun Mar 27 11:58:10 EDT 2016


On Fri, Mar 25, 2016 at 9:41 PM, Ray Dillinger <bear at sonic.net> wrote:
>
>
> On 03/25/2016 04:06 PM, Ray Dillinger wrote:
>>
>
>>  Encrypt-then-MAC really *is* superior to MAC-then-
>> encrypt, but you've got to be careful not to fall in one narsty
>> little pothole next to the road.
>>
>> That pothole is this:  Alice prepares a message for Bob, which
>> she MACs, then encrypts.  She sends it to Bob, and he strips
>> her MAC off of it, puts his own MAC on it, re-encrypts, and
>> sends it to Carol pretending it's a message to Carol from Bob.
>
>
> Ergh.  I babbled, of course. The first sentence above is just
> plain wrong. Parts of the rest are muddled. Let me clarify.
>
> Briefly:  The misattribution attack on Mac-Then-Encrypt allows
> Bob to redirect messages originally sent to Bob (because he can
> decrypt those, then replace the MAC, re-encrypt, and resend them).
> In security terms this is a pothole.  It can be harmful if Alice
> is sending to Bob anything Bob should not be able to produce
> himself, but is otherwise harmless.

For the record, it's worth noting that the above attack applies to
(public-key) encrypt-then-sign, but not to (private-key)
encrypt-then-MAC.

> The misattribution attack on Encrypt-Then-Mac allows Bob (or
> Mallory) to intercept an encrypted message from anybody to
> anybody, and with no need to decrypt it substitute his own
> MAC for the original.  In security terms this is a missing
> bridge.  You have to find a different way to get where you're
> going.  This is the good reason why Encrypt-Then-MAC ought
> to be avoided.
>
> In the Encrypt-then-MAC world attackers can substitute MACs
> on messages regardless of whether they can decrypt them -
> With a lot of protocols it's a pretty easy guess what's being
> said, so inability to decrypt is frequently inadequate defense.


More information about the cryptography mailing list