Detecting attempts to decrypt with incorrect secret key in OWASP ESAPI
David Wagner
daw at cs.berkeley.edu
Wed Sep 16 20:19:53 EDT 2009
I don't exactly follow the argument for using CCM mode instead
AES-CBC encryption followed by AES-CMAC, and I'm not familiar with
the political/perception arguments (who complains about the latter?),
but whatever. It's hardly worth arguing over. The cryptographic mode
of operation is unlikely to be the weakest link in your system, and the
security differences between CCM mode vs AES-CBC + AES-CMAC seem minor,
so it doesn't seem worth worrying too much about it: CCM mode seems good
enough. I'm not sure I'm familiar with the arguments against EAX mode
(full disclosure: I'm a co-author on the EAX paper and hence probably
biased), but again, whatever. These three choices are all good enough and
the security differences between them seem minor. In my view, choosing
any of the three would be a reasonable choice. Just my personal opinion.
ObNitpick:
Joseph Ashwood wrote:
> Since you already have CBC available, my first suggestion would be CBC-MAC
> (IV = 0x0000000, okcs5 padding works fine, MAC = final block of ciphertext),
> it has good strong security proofs behind it, and is fast. [...]
Are you sure? For vanilla CBC-MAC, the security proofs don't apply to
variable-length messages, and I recall that there are known attacks on
vanilla CBC-MAC when message lengths can vary (I'm not claiming those
attacks are necessarily realistic in all applications, but they may be).
AES-CMAC is a nice design that addresses this problem. CMAC is based
upon CBC-MAC, but addresses the imperfections of vanilla CBC-MAC.
Personally, I wouldn't recommend vanilla CBC-MAC as a choice of message
authentication primitive; CMAC seems better in every dimension. CMAC is
basically a CBC-MAC, but with all the details done right. CMAC also
has the benefit that it has been standardized by NIST.
http://en.wikipedia.org/wiki/CMAC
http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
Bottom line: If you're going to use a standalone CBC-based MAC together
with a standalone encryption algorithm, I'd recommend using CMAC as your
message authentication code, not AES-CBC.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list