[19908] in cryptography@c2.net mail archive
RE: conservative choice: encrypt then MAC (Re: general defensive crypto coding principles)
daemon@ATHENA.MIT.EDU (Whyte, William)
Thu Feb 9 10:22:35 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 9 Feb 2006 09:59:48 -0500
From: "Whyte, William" <WWhyte@ntru.com>
To: "Adam Back" <adam@cypherspace.org>,
"Peter Gutmann" <pgut001@cs.auckland.ac.nz>
Cc: <cryptography@metzdowd.com>, <lloyd@randombit.net>
> Don't forget Bleichenbacher's error channel attack on SSL
> implementations, which focussed on the mac then encrypt design of
> SSL... web servers gave different error for malformed padding vs
> plaintext MAC failure. The lesson I drew from that is the
> conservative choice is encrypt then MAC.
Bleichenbacher's attack focused on RSA PKCS#1 decryption. You're
thinking of Vaudenay's, which focused on CBC padding errors.
There are other lessons to draw too, most notably: don't ever
let the sender know the reason why a decryption-and-authentication
failed.
William
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
