[Cryptography] On the Impending Crypto Monoculture

Andrew Donoho awd at ddg.com
Fri Mar 25 20:35:07 EDT 2016 

> On Mar 25, 2016, at 18:06 , Ray Dillinger <bear at sonic.net> wrote:
> 
> 
> 
> On 03/24/2016 10:27 PM, Andrew Donoho wrote:
> 
>> 	In my app's code, I’ve only used AES-256-CBC, SHA-256, HMAC-SHA-256, and RSA-2048. (Yes, I use encrypt then MAC.) 
> 
> Okay, just in case you're new to the crypto-code game I have to
> bring this up.  Encrypt-then-MAC really *is* superior to MAC-then-
> encrypt, but you've got to be careful not to fall in one narsty
> little pothole next to the road.




Bear,



	Thank you for sharing this insight. Most of what I know about crypto systems comes from “Practical Cryptography” by Ferguson and Schneier. In it on page 117, they come down in favor of MAC-then-encrypt. In their newer edition, “Cryptography Engineering,” Ferguson, Schneier and Kohno, they maintain their advice on page 104. My crypto friends overruled them. I am lucky to have smart crypto friends. (Of course, any errors in the code are mine.)



> That pothole is this:  Alice prepares a message for Bob, which
> she MACs, then encrypts.  She sends it to Bob, and he strips
> her MAC off of it, puts his own MAC on it, re-encrypts, and
> sends it to Carol pretending it's a message to Carol from Bob.
> 
> Now this sounds like a dumb thing that could never happen because
> Carol wouldn't really be fooled by a message from the wrong origin
> bearing the wrong MAC, even if the origin and MAC she actually gets
> it from do go together.  But, assuming Carol is running an honest
> node (your code?) look at the code for it.  Would she be fooled?
> How would she react?



	I will go look at that code. My application, Spot, URL below, is a location tracking application which also uses cryptography to protect its users from prying eyes, such as mine. The companion app, XtaX, reads the data for the user’s accountant. The MAC is countersigned by my cloud server. I basically fix the state of whatever makes it to my cloud. When it is read back, the location has both the signature and MAC validated by someone who has both keys before decrypting the structured data. If either fail, I throw the data away. The fix didn’t happen.

	I’ll try to think through what will happen if someone tries to inject data into my cloud database system. Probably nothing. The data will just get thrown away when it fails the MAC. But this will take some study.

	I am surprised at how subtle this stuff can be. I am glad I’ve only been able to choose from the limited range of algorithms for my system. More choices are not particularly better. There are more ways to choose poorly … and we all know how that ends.



Anon,
Andrew
____________________________________
Andrew W. Donoho
Donoho Design Group, L.L.C.
awd at DDG.com, +1 (512) 750-7596, twitter.com/adonoho

New: Spot marks the taX™ App, <http://SpotMarksTheTaX.com>
Retweever Family: <http://Image.Retweever.com>, <http://Retweever.com>

Essentially, all models are wrong, but some are useful.
	— George E.P. Box

More information about the cryptography mailing list