conservative choice: encrypt then MAC (Re: general defensive crypto coding principles)

[Whyte, William]

> Don't forget Bleichenbacher's error channel attack on SSL
> implementations, which focussed on the mac then encrypt design of
> SSL... web servers gave different error for malformed padding vs
> plaintext MAC failure.  The lesson I drew from that is the
> conservative choice is encrypt then MAC.

Bleichenbacher's attack focused on RSA PKCS#1 decryption. You're
thinking of Vaudenay's, which focused on CBC padding errors.

There are other lessons to draw too, most notably: don't ever
let the sender know the reason why a decryption-and-authentication
failed.

William

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com