[Cryptography] On the Impending Crypto Monoculture
Ray Dillinger
bear at sonic.net
Fri Mar 25 21:41:37 EDT 2016
On 03/25/2016 04:06 PM, Ray Dillinger wrote:
>
> Encrypt-then-MAC really *is* superior to MAC-then-
> encrypt, but you've got to be careful not to fall in one narsty
> little pothole next to the road.
>
> That pothole is this: Alice prepares a message for Bob, which
> she MACs, then encrypts. She sends it to Bob, and he strips
> her MAC off of it, puts his own MAC on it, re-encrypts, and
> sends it to Carol pretending it's a message to Carol from Bob.
Ergh. I babbled, of course. The first sentence above is just
plain wrong. Parts of the rest are muddled. Let me clarify.
Briefly: The misattribution attack on Mac-Then-Encrypt allows
Bob to redirect messages originally sent to Bob (because he can
decrypt those, then replace the MAC, re-encrypt, and resend them).
In security terms this is a pothole. It can be harmful if Alice
is sending to Bob anything Bob should not be able to produce
himself, but is otherwise harmless.
The misattribution attack on Encrypt-Then-Mac allows Bob (or
Mallory) to intercept an encrypted message from anybody to
anybody, and with no need to decrypt it substitute his own
MAC for the original. In security terms this is a missing
bridge. You have to find a different way to get where you're
going. This is the good reason why Encrypt-Then-MAC ought
to be avoided.
In the Encrypt-then-MAC world attackers can substitute MACs
on messages regardless of whether they can decrypt them -
With a lot of protocols it's a pretty easy guess what's being
said, so inability to decrypt is frequently inadequate defense.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160325/6c1994fb/attachment.sig>
More information about the cryptography
mailing list