[Cryptography] where is the weakness? related-key, mac-then-encrypt, CBC, padding oracle ????

[Kristian Gjøsteen]

11. nov. 2015 kl. 19.13 skrev John Denker <jsd at av8n.com>:
> It seems to me that if a given cryptosystem (or subsystem)
> must be followed by a MAC to make it secure, then the 
> subsystem was no good to begin with.  To say the same 
> thing the other way, if MAC-then-encrypt is not safe, 
> then the encrypt step itself is unsafe (with or without
> any earlier MAC) and it's not logical to blame the early 
> MAC.
> 
> Never confuse the presence of one thing with the absence
> of another.

That is true, but you don’t understand the context in which the EtA advice originated.

At the time, we had a bunch of block cipher modes and stream ciphers that were good at providing security against chosen plaintext attacks. And we had a couple of MACs that were good at providing integrity.

Also, we realized that what we wanted was chosen ciphertext security.

It was reasonably clear that combining an IND-CPA scheme and a MAC was a reasonable approach. What was not (and obviously still isn’t) clear was exactly how to combine them. Then we got a theorem saying EtA is always good, AtE is not always good and E&A is not good.

Which means that, unless you are prepared to think seriously about the security of your scheme, EtA is the way to go.

Later, we got AEAD and lots of other nice stuff, but still people mess up, people don’t understand and people complain a lot.

(There is still some minor difference of opinion among experts, but that difference isn’t what’s reflected on this list. Also, the story isn’t quite as simple as the above suggests. Also, when I say «we» above, I should mention that I wasn’t a cryptographer back then, so that «we» doesn’t include me, strictly speaking.)

-- 
Kristian Gjøsteen