[Cryptography] The paranoid approach to crypto-plumbing
leichter at lrw.com
Tue Sep 17 19:18:20 EDT 2013
On Sep 17, 2013, at 6:21 PM, John Kelsey <crypto.jmk at gmail.com> wrote:
>> I confess I'm not sure what the current state of research is on MAC
>> then Encrypt vs. Encrypt then MAC -- you may want to check on that.
> Encrypt then MAC has a couple of big advantages centering around the idea that you don't have to worry about reaction attacks, where I send you a possibly malformed ciphertext and your response (error message, acceptance, or even time differences in when you send an error message) tells me something about your secret internal state.
On a purely practical level, to reject a damaged message, with decrypt-then-MAC (ordering things on the receiver's side...) I have to pay the cost of a decryption plus a MAC computation; with MAC-then-decrypt, I only pay the cost of the MAC. On top of this, decryption is often more expensive than MAC computation. So decrypt-then-MAC makes DOS attacks easier.
One could also imagine side-channel attacks triggered by chosen ciphertext. Decrypt-then-MAC allows an attacker to trigger them; MAC-then-decrypt does not. (Attacks on MAC's seems somewhat less likely to be data dependent, but who knows for sure. In any case, even if you had such an attack, it would get you the authentication key - and at that point you would be able to *start* your attack not the decryption key.
MAC'ing the actual data always seemed more "logical" to me, but once you look at the actual situation, it no longer seems like the right thing to do.
More information about the cryptography