Detecting attempts to decrypt with incorrect secret key in OWASP ESAPI
Joseph Ashwood
ashwood at msn.com
Wed Sep 16 21:13:29 EDT 2009
--------------------------------------------------
From: "David Wagner" <daw at cs.berkeley.edu>
Sent: Wednesday, September 16, 2009 5:19 PM
To: <cryptography at metzdowd.com>
Subject: Re: Detecting attempts to decrypt with incorrect secret key in
OWASP ESAPI
> I don't exactly follow the argument for using CCM mode instead
> AES-CBC encryption followed by AES-CMAC, and I'm not familiar with
> the political/perception arguments (who complains about the latter?),
> but whatever.
I've actually had a few clients ask for a more detailed explaination of why
it is ok, so there are people who are confused. Some people get confused.
> It's hardly worth arguing over. The cryptographic mode
> of operation is unlikely to be the weakest link in your system, and the
> security differences between CCM mode vs AES-CBC + AES-CMAC seem minor,
> so it doesn't seem worth worrying too much about it: CCM mode seems good
> enough. I'm not sure I'm familiar with the arguments against EAX mode
> (full disclosure: I'm a co-author on the EAX paper and hence probably
> biased), but again, whatever.
Actually I think EAX great, and if I had known you were replying while I was
writing mine I wouldn't have replied at all. My problem is that I haven't
taken the time to look over the patents on bordering technologies to see if
I believe it is patent safe. Lately, I've been dealing with a lot of patent
weirdness, so I'm more aware of patent issues.
> ObNitpick:
>
> Joseph Ashwood wrote:
>> Since you already have CBC available, my first suggestion would be
>> CBC-MAC
>> (IV = 0x0000000, okcs5 padding works fine, MAC = final block of
>> ciphertext),
>> it has good strong security proofs behind it, and is fast. [...]
>
> Are you sure? For vanilla CBC-MAC, the security proofs don't apply to
> variable-length messages, and I recall that there are known attacks on
> vanilla CBC-MAC when message lengths can vary (I'm not claiming those
> attacks are necessarily realistic in all applications, but they may be).
> AES-CMAC is a nice design that addresses this problem. CMAC is based
> upon CBC-MAC, but addresses the imperfections of vanilla CBC-MAC.
I could try and justify my position, but honestly, CMAC really doesn't any
real downsides, and the proof is tighter.
(I moved this down here)
> These three choices are all good enough and
> the security differences between them seem minor. In my view, choosing
> any of the three would be a reasonable choice. Just my personal opinion.
As opinions go, its hard to find a better source than David Wagner.
Joe
BTW: Anyone looking to make a venture capital investment?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list