Detecting attempts to decrypt with incorrect secret key in OWASP ESAPI

Joseph Ashwood ashwood at
Wed Sep 16 21:13:29 EDT 2009

From: "David Wagner" <daw at>
Sent: Wednesday, September 16, 2009 5:19 PM
To: <cryptography at>
Subject: Re: Detecting attempts to decrypt with incorrect secret key in 

> I don't exactly follow the argument for using CCM mode instead
> AES-CBC encryption followed by AES-CMAC, and I'm not familiar with
> the political/perception arguments (who complains about the latter?),
> but whatever.

I've actually had a few clients ask for a more detailed explaination of why 
it is ok, so there are people who are confused. Some people get confused.

> It's hardly worth arguing over.  The cryptographic mode
> of operation is unlikely to be the weakest link in your system, and the
> security differences between CCM mode vs AES-CBC + AES-CMAC seem minor,
> so it doesn't seem worth worrying too much about it: CCM mode seems good
> enough.  I'm not sure I'm familiar with the arguments against EAX mode
> (full disclosure: I'm a co-author on the EAX paper and hence probably
> biased), but again, whatever.

Actually I think EAX great, and if I had known you were replying while I was 
writing mine I wouldn't have replied at all. My problem is that I haven't 
taken the time to look over the patents on bordering technologies to see if 
I believe it is patent safe. Lately, I've been dealing with a lot of patent 
weirdness, so I'm more aware of patent issues.

> ObNitpick:
> Joseph Ashwood wrote:
>> Since you already have CBC available, my first suggestion would be 
>> (IV = 0x0000000, okcs5 padding works fine, MAC = final block of 
>> ciphertext),
>> it has good strong security proofs behind it, and is fast. [...]
> Are you sure?  For vanilla CBC-MAC, the security proofs don't apply to
> variable-length messages, and I recall that there are known attacks on
> vanilla CBC-MAC when message lengths can vary (I'm not claiming those
> attacks are necessarily realistic in all applications, but they may be).
> AES-CMAC is a nice design that addresses this problem.  CMAC is based
> upon CBC-MAC, but addresses the imperfections of vanilla CBC-MAC.

I could try and justify my position, but honestly, CMAC really doesn't any 
real downsides, and the proof is tighter.

(I moved this down here)

> These three choices are all good enough and
> the security differences between them seem minor.  In my view, choosing
> any of the three would be a reasonable choice.  Just my personal opinion.

As opinions go, its hard to find a better source than David Wagner.

BTW: Anyone looking to make a venture capital investment? 

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list