[Cryptography] On the Impending Crypto Monoculture

Ron Garret ron at flownet.com
Sat Mar 26 12:27:37 EDT 2016 

On Mar 25, 2016, at 6:41 PM, Ray Dillinger <bear at sonic.net> wrote:

> 
> 
> On 03/25/2016 04:06 PM, Ray Dillinger wrote:
>> 
> 
>> Encrypt-then-MAC really *is* superior to MAC-then-
>> encrypt, but you've got to be careful not to fall in one narsty
>> little pothole next to the road.
>> 
>> That pothole is this:  Alice prepares a message for Bob, which
>> she MACs, then encrypts.  She sends it to Bob, and he strips
>> her MAC off of it, puts his own MAC on it, re-encrypts, and
>> sends it to Carol pretending it's a message to Carol from Bob.
> 
> 
> Ergh.  I babbled, of course. The first sentence above is just
> plain wrong. Parts of the rest are muddled. Let me clarify.
> 
> Briefly:  The misattribution attack on Mac-Then-Encrypt allows
> Bob to redirect messages originally sent to Bob (because he can
> decrypt those, then replace the MAC, re-encrypt, and resend them).
> In security terms this is a pothole.  It can be harmful if Alice
> is sending to Bob anything Bob should not be able to produce
> himself, but is otherwise harmless.
> 
> The misattribution attack on Encrypt-Then-Mac allows Bob (or
> Mallory) to intercept an encrypted message from anybody to
> anybody, and with no need to decrypt it substitute his own
> MAC for the original.  In security terms this is a missing
> bridge.  You have to find a different way to get where you're
> going.  This is the good reason why Encrypt-Then-MAC ought
> to be avoided.
> 
> In the Encrypt-then-MAC world attackers can substitute MACs
> on messages regardless of whether they can decrypt them -
> With a lot of protocols it's a pretty easy guess what's being
> said, so inability to decrypt is frequently inadequate defense.

Ironically, it is precisely perennial confusions like this that are driving people towards the DJB monoculture: if you use NaCl you don’t need to worry about ETM/MTE.  You just call crypto_box and the Right Thing happens automagically.

Actually, it turns out that even crypto_box has a small pitfall: an attacker can take a message sent by Alice to Bob and make it look like it was sent from Bob to Alice simply by swapping the keys.  There’s a fix for this (encode the order of the keys into the nonce) but crypto_box does not do this automatically (though SC4 does).  Thanks to Mario Heiderich at Cure53 for pointing this out to me.

rg

More information about the cryptography mailing list