[Cryptography] where is the weakness? related-key, mac-then-encrypt, CBC, padding oracle ????

Watson Ladd watsonbladd at gmail.com
Tue Dec 1 06:27:30 EST 2015

On Wed, Nov 11, 2015 at 3:10 PM, Kristian Gjøsteen
<kristian.gjosteen at math.ntnu.no> wrote:
> 11. nov. 2015 kl. 19.13 skrev John Denker <jsd at av8n.com>:
>> It seems to me that if a given cryptosystem (or subsystem)
>> must be followed by a MAC to make it secure, then the
>> subsystem was no good to begin with.  To say the same
>> thing the other way, if MAC-then-encrypt is not safe,
>> then the encrypt step itself is unsafe (with or without
>> any earlier MAC) and it's not logical to blame the early
>> MAC.
>> Never confuse the presence of one thing with the absence
>> of another.
> That is true, but you don’t understand the context in which the EtA advice originated.
> At the time, we had a bunch of block cipher modes and stream ciphers that were good at providing security against chosen plaintext attacks. And we had a couple of MACs that were good at providing integrity.
> Also, we realized that what we wanted was chosen ciphertext security.
> It was reasonably clear that combining an IND-CPA scheme and a MAC was a reasonable approach. What was not (and obviously still isn’t) clear was exactly how to combine them. Then we got a theorem saying EtA is always good, AtE is not always good and E&A is not good.

This is not quite right. It was always obvious (to the right people,
for definitions of obvious) that EtA is always good, as Rogaway's
comments on IPsec show. The failure to understand this was one of
people not taking seriously or even knowing the mathematics involved.

> Which means that, unless you are prepared to think seriously about the security of your scheme, EtA is the way to go.
> Later, we got AEAD and lots of other nice stuff, but still people mess up, people don’t understand and people complain a lot.
> (There is still some minor difference of opinion among experts, but that difference isn’t what’s reflected on this list. Also, the story isn’t quite as simple as the above suggests. Also, when I say «we» above, I should mention that I wasn’t a cryptographer back then, so that «we» doesn’t include me, strictly speaking.)
> --
> Kristian Gjøsteen
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography

"Man is born free, but everywhere he is in chains".

More information about the cryptography mailing list