Nullsoft's WASTE communication system
David Wagner
daw at mozart.cs.berkeley.edu
Sat May 31 11:54:26 EDT 2003
Eric Rescorla wrote:
>E(M) || H(M) -> This is still quite dangerous. If the attacker
> can somehow reset the IV, then they can mount
> an attack on the first cipher block.
Also, it can violate confidentiality. If M is guessable,
the guess can be confirmed using H(M).
>E(M || H(M)) -> This is hard to attack with block ciphers, but
> easy with stream ciphers.
Even for block ciphers, it's vulnerable against chosen-message
attack, although I agree this weakness may be more or less theoretical.
I certainly agree with all your comments. I can't imagine why
they invented their own crypto, rather than just using SSL.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list