general defensive crypto coding principles
Jack Lloyd
lloyd at randombit.net
Wed Feb 8 11:53:56 EST 2006
On Sun, Feb 05, 2006 at 05:15:08AM -0600, Travis H. wrote:
> 3) Authenticate the plaintext, not the ciphertext. This is a general
> application of the rule "use semantically appropriate constructs".
> That is, our point in signing is to authenticate the plaintext, not an
> encrypted version of it. This has the drawback that decryption must
> occur before authentication, which is a possible DoS vector.
This seems like an interesting choice - Bellare and Namprempre have a paper on
this [worth reading IMO; http://www-cse.ucsd.edu/~mihir/papers/oem.html] which
suggests that this method (which they term Encrypt-and-MAC) has problems in
terms of information leakage. An obvious example occurs when using a
deterministic authentication scheme like HMAC - an attacker can with high
probability detect duplicate plaintexts by looking for identical tags. They
also show that using a MAC on the ciphertext is a secure construction in a
fairly broad set of cases.
Hmm.. though I believe in the case of using public key signatures rather than a
MAC, one would want to sign before encrypting, since otherwise an attacker
could take another parties message, strip off the signature and add their own
without detection (unless the message itself included source information that
the receiver could check against). I can imagine some bizarre key management
systems where something like this attack might also work using a shared-key
MAC, though it seems the best solution then would be to fix your key
management.
-Jack
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list