general defensive crypto coding principles
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Feb 10 01:21:05 EST 2006
Jack Lloyd <lloyd at randombit.net> writes:
>On Thu, Feb 09, 2006 at 05:01:05PM +1300, Peter Gutmann wrote:
>> So you can use encrypt-then-MAC, but you'd better be *very*
>> careful how you apply it, and MAC at least some of the additional non-message-
>> data components as well.
>
>Looking at the definitions in the paper, I think it is pretty clear that that
>was their intent. The scheme definitions in section 4 make no provisions for
>initialization vectors or any kind of parameterization, so I'm assuming that
>they assumed the encryption function will include all that as part of the
>output, meaning it will be included as part of the MAC.
Well, that's the exact problem that I pointed out in my previous message - in
order to get this right, people have to read the mind of the paper author to
divine their intent. Since the consumers of the material in the paper
generally won't be expert cryptographers (or even inexpert cryptographers,
they'll be programmers), the result is a disaster waiting to happen.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list