[Cryptography] On the Impending Crypto Monoculture
Andrew Donoho
awd at ddg.com
Sun Mar 27 15:22:31 EDT 2016
> On Mar 27, 2016, at 13:57 , Nemo <nemo at self-evident.org> wrote:
>
>> As Encrypt-then-MAC follows the similar pattern as a publicly
>> validate-able digital signature, I have a bias towards building the
>> storage system around similar patterns, Encrypt-then-MAC and
>> Encrypt-then-Sign.
>
> Actually, no, it is nothing like "a publicly validate-able digital
> signature". And "Encrypt-then-Sign" is nothing like authenticated
> encryption.
Nemo,
Thank you for correcting me.
> In fact, this is the entire lesson of the recent JHU attack on
> iMessage. See https://twitter.com/secparam/status/711999852020940800 and
> http://blog.cryptographyengineering.com/2016/03/attack-of-week-apple-imessage.html
I’ve read the blog post but not yet the paper.
Your advice then would be to calculate the HMAC and then sign(h(m||hmac))? (Sign the SHA-256 hash of the encrypted AES-256-CBC message concatenated with the HMAC.) I can do that.
> Even Apple's engineers could not get this right. And some wonder why we
> say, "For crying out loud, just use Bernstein's code”?
While I am quite open to using Bernstein’s code, as I hope I’ve adequately documented, I currently do not have that option. Will I encourage Apple to add more algorithms? Yes. When will they do so? In this anti-Apple regulatory environment, probably not in the next 10 years. The government is quite pissed off that Apple doesn’t suck at security.
Anon,
Andrew
____________________________________
Andrew W. Donoho
Donoho Design Group, L.L.C.
awd at DDG.com, +1 (512) 750-7596, twitter.com/adonoho
New: Spot marks the taX™ App, <http://SpotMarksTheTaX.com>
Retweever Family: <http://Image.Retweever.com>, <http://Retweever.com>
"To take no detours from the high road of reason and social responsibility."
-- Marcus Aurelius
More information about the cryptography
mailing list