IGE mode is broken (Re: IGE mode in OpenSSL)
Ben Laurie
ben at algroup.co.uk
Wed Sep 13 07:15:18 EDT 2006
Kuehn, Ulrich wrote:
>
>
>> -----Original Message----- From: Ben Laurie
>> [mailto:ben at algroup.co.uk] Sent: Samstag, 9. September 2006 22:39
>> To: Adam Back Cc: Travis H.; Cryptography; Anton Stiglic Subject:
>> Re: IGE mode is broken (Re: IGE mode in OpenSSL)
>>
> [...]
>> In any case, I am not actually interested IGE itself, rather in
>> biIGE (i.e. IGE applied twice, once in each direction), and I don't
>> care about authentication, I care about error propagation -
>> specifically, I want errors to propagate throughout the plaintext.
>>
>> In fact, I suppose I do care about authentication, but in the
>> negative sense - I want it to not be possible to authenticate the
>> message.
>>
>
> Do I understand correctly? You do want that nobody is able to
> authenticate a message, however, it shall not be intelligible if
> manipulated with?
Correct. Minx (which is the only place I use IGE) avoids traffic marking
attacks in two ways:
a) all messages are "correct"
b) any attempt to mark a message results in its complete corruption
See the Minx paper, http://www.apache-ssl.org/minx.pdf.
> Or do you want that the authentication test fails if the message has
> been tampered with?
No.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list