general defensive crypto coding principles
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Feb 8 23:52:11 EST 2006
Sidney Markowitz <sidney at sidney.com> writes:
>Krawczyk's paper shows that authenticate before encryption is not secure
>under assumptions that are not realistic, such as the encryption being
>subject to a chosen ciphertext attack, use of ECB mode, separate MAC
>authentication of each block along with an encryption oracle so you can use a
>kind of block level replay attack in CBC mode. If you use a good cipher with
>an appropriate mode and apply the authentication to the entire message with
>proper use of message ID or timestamp to prevent replay attacks, you avoid
>Krawczyk's vulnerabilities four times over.
Just after I sent my previous message (sigh) I finally remembered the name of
the paper that contains a more realistic analysis of encrypt/MAC modes and
looks at existing implementations, it's "Building Secure Cryptographic
Transforms, or How to Encrypt and MAC" by Kohno, Palacio, and Black. Google
tells me it's available from the IACR ePrint archive,
http://eprint.iacr.org/2003/177.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list