[Cryptography] On the Impending Crypto Monoculture

[Peter Gutmann]

Ray Dillinger <bear at sonic.net> writes:

>The misattribution attack on Encrypt-Then-Mac allows Bob (or Mallory) to
>intercept an encrypted message from anybody to anybody, and with no need to
>decrypt it substitute his own MAC for the original.  In security terms this
>is a missing bridge.

In security terms it's a red herring.  None of the major users of EtM (IPsec,
SSH, TLS, and S/MIME) are subject to this attack, because you can't substitute
a different MAC for an existing one.

>In the Encrypt-then-MAC world attackers can substitute MACs on messages
>regardless of whether they can decrypt them -

No they can't.

Peter.