[19922] in cryptography@c2.net mail archive
Re: general defensive crypto coding principles
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Fri Feb 10 14:34:42 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: cryptography@metzdowd.com, lloyd@randombit.net
In-Reply-To: <20060209061355.GA2125@randombit.net>
Date: Fri, 10 Feb 2006 19:21:05 +1300
Jack Lloyd <lloyd@randombit.net> writes:
>On Thu, Feb 09, 2006 at 05:01:05PM +1300, Peter Gutmann wrote:
>> So you can use encrypt-then-MAC, but you'd better be *very*
>> careful how you apply it, and MAC at least some of the additional non-message-
>> data components as well.
>
>Looking at the definitions in the paper, I think it is pretty clear that that
>was their intent. The scheme definitions in section 4 make no provisions for
>initialization vectors or any kind of parameterization, so I'm assuming that
>they assumed the encryption function will include all that as part of the
>output, meaning it will be included as part of the MAC.
Well, that's the exact problem that I pointed out in my previous message - in
order to get this right, people have to read the mind of the paper author to
divine their intent. Since the consumers of the material in the paper
generally won't be expert cryptographers (or even inexpert cryptographers,
they'll be programmers), the result is a disaster waiting to happen.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
