conservative choice: encrypt then MAC (Re: general defensive crypto coding principles)
Whyte, William
WWhyte at ntru.com
Thu Feb 9 09:59:48 EST 2006
> Don't forget Bleichenbacher's error channel attack on SSL
> implementations, which focussed on the mac then encrypt design of
> SSL... web servers gave different error for malformed padding vs
> plaintext MAC failure. The lesson I drew from that is the
> conservative choice is encrypt then MAC.
Bleichenbacher's attack focused on RSA PKCS#1 decryption. You're
thinking of Vaudenay's, which focused on CBC padding errors.
There are other lessons to draw too, most notably: don't ever
let the sender know the reason why a decryption-and-authentication
failed.
William
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list