general defensive crypto coding principles
Sidney Markowitz
sidney at sidney.com
Wed Feb 8 19:07:33 EST 2006
Simon Josefsson wrote:
> "Travis H." <solinym at gmail.com> writes:
> ...
>> 3) Authenticate the plaintext, not the ciphertext. This is a general
[...]
> I wonder whether this is really a good suggestion, considering
> Krawczyk's paper that show that this construct is not generically
> secure. See <http://eprint.iacr.org/2001/045>.
Schneier deals with that explicitly when he makes the suggestion, on pp 115-117
in Practical Cryptography, referring to "theoretical results" rather than
referencing Krawczyk's paper directly.
Krawczyk's paper shows that authenticate before encryption is not secure under
assumptions that are not realistic, such as the encryption being subject to a
chosen ciphertext attack, use of ECB mode, separate MAC authentication of each
block along with an encryption oracle so you can use a kind of block level
replay attack in CBC mode. If you use a good cipher with an appropriate mode
and apply the authentication to the entire message with proper use of message
ID or timestamp to prevent replay attacks, you avoid Krawczyk's vulnerabilities
four times over.
Schneier deals with the argument about potential DoS attacks by pointing out
that most real-life DoS attacks saturate the communication channel, not the CPU.
He also presents arguments for authenticating before encrypting which I won't
repeat here -- It's all there in a pretty clear three pages in his book.
-- Sidney Markowitz
http://www.sidney.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list