[Cryptography] The paranoid approach to crypto-plumbing
Perry E. Metzger
perry at piermont.com
Tue Sep 17 11:41:35 EDT 2013
On Mon, 16 Sep 2013 17:47:11 -0700 Bill Frantz
<frantz at pwpconsult.com> wrote:
> Authentication is achieved by signing the entire exchange with
> DSA. -- Change the protocol to sign the exchange with both RSA
> and DSA and send and check both signatures.
Remember to generate the nonce for DSA using a deterministic method.
> The current data exchange encryption uses SHA1 in HMAC mode and
> 3DES in CBC mode with MAC then encrypt. The only saving grace is
> that the first block of each message is the HMAC, which will
> make the known plain text attacks on the protocol harder. -- I
> would replace this protocol with one that encrypts twice and
> MACs twice. Using one of the modes which encrypt and MAC in one
> operation as the inner layer is very tempting with a different
> cypher in counter mode and a HMAC as the outer layer.
I confess I'm not sure what the current state of research is on MAC
then Encrypt vs. Encrypt then MAC -- you may want to check on that.
Also, you may want to generate your IVs deterministically from a
block cipher in counter mode, and not actually send them on the wire
-- see earlier discussions for why that is good, but in addition to
assuring the IVs are unpredictable and do not repeat, it prevents a
bad actor from using the IV as a covert channel. (Some would argue
against using CBC mode entirely -- see Rogaway's paper on block
Perry E. Metzger perry at piermont.com
More information about the cryptography