[19904] in cryptography@c2.net mail archive
Re: general defensive crypto coding principles
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Thu Feb 9 09:42:27 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@metzdowd.com, sidney@sidney.com
In-Reply-To: <43EA87C5.7070400@sidney.com>
Date: Thu, 09 Feb 2006 17:52:11 +1300
Sidney Markowitz <sidney@sidney.com> writes:
>Krawczyk's paper shows that authenticate before encryption is not secure
>under assumptions that are not realistic, such as the encryption being
>subject to a chosen ciphertext attack, use of ECB mode, separate MAC
>authentication of each block along with an encryption oracle so you can use a
>kind of block level replay attack in CBC mode. If you use a good cipher with
>an appropriate mode and apply the authentication to the entire message with
>proper use of message ID or timestamp to prevent replay attacks, you avoid
>Krawczyk's vulnerabilities four times over.
Just after I sent my previous message (sigh) I finally remembered the name of
the paper that contains a more realistic analysis of encrypt/MAC modes and
looks at existing implementations, it's "Building Secure Cryptographic
Transforms, or How to Encrypt and MAC" by Kohno, Palacio, and Black. Google
tells me it's available from the IACR ePrint archive,
http://eprint.iacr.org/2003/177.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
