[Cryptography] The paranoid approach to crypto-plumbing

Perry E. Metzger perry at piermont.com
Tue Sep 17 11:41:35 EDT 2013

On Mon, 16 Sep 2013 17:47:11 -0700 Bill Frantz
<frantz at pwpconsult.com> wrote:
> Authentication is achieved by signing the entire exchange with 
> DSA.  --  Change the protocol to sign the exchange with both RSA 
> and DSA and send and check both signatures.

Remember to generate the nonce for DSA using a deterministic method.

> The current data exchange encryption uses SHA1 in HMAC mode and 
> 3DES in CBC mode with MAC then encrypt. The only saving grace is 
> that the first block of each message is the HMAC, which will 
> make the known plain text attacks on the protocol harder. -- I 
> would replace this protocol with one that encrypts twice and 
> MACs twice. Using one of the modes which encrypt and MAC in one 
> operation as the inner layer is very tempting with a different 
> cypher in counter mode and a HMAC as the outer layer.

I confess I'm not sure what the current state of research is on MAC
then Encrypt vs. Encrypt then MAC -- you may want to check on that.

Also, you may want to generate your IVs deterministically from a
block cipher in counter mode, and not actually send them on the wire
-- see earlier discussions for why that is good, but in addition to
assuring the IVs are unpredictable and do not repeat, it prevents a
bad actor from using the IV as a covert channel. (Some would argue
against using CBC mode entirely -- see Rogaway's paper on block
cipher modes.)

Perry E. Metzger		perry at piermont.com

More information about the cryptography mailing list