general defensive crypto coding principles

Thread: general defensive crypto coding principles

Search this list only Search all lists
general defensive crypto coding principles
	2006-02-10 06:21:05
Jack Lloyd <lloydrandombit.net> writes: >On Thu, Feb 09, 2006 at 05:01:05PM +1300, Peter Gutmann wrote: >> So you can use encrypt-then-MAC, but you'd better be very >> careful how you apply it, and MAC at least some of the additional non-message- >> data components as well. > >Looking at the definitions in the paper, I think it is pretty clear that that >was their intent. The scheme definitions in section 4 make no provisions for >initialization vectors or any kind of parameterization, so I'm assuming that >they assumed the encryption function will include all that as part of the >output, meaning it will be included as part of the MAC. Well, that's the exact problem that I pointed out in my previous message - in order to get this right, people have to read the mind of the paper author to divine their intent. Since the consumers of the material in the paper generally won't be expert cryptographers (or even inexpert cryptographers, they'll be programmers), the result is a disaster waiting to happen. Peter. ------------------------------------------------------------ --------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomometzdowd.com

general defensive crypto coding principles
	2006-02-11 18:14:29
On Fri, Feb 10, 2006 at 07:21:05PM +1300, Peter Gutmann wrote: > Well, that's the exact problem that I pointed out in my previous message - in > order to get this right, people have to read the mind of the paper author to > divine their intent. Since the consumers of the material in the paper > generally won't be expert cryptographers (or even inexpert cryptographers, > they'll be programmers), the result is a disaster waiting to happen. I would expect that typically implementors would be following a published standard, which would (well, one would hope) have had expert cryptographers check it over sometime prior to publication. If your typical application programmer is just coming up with their own crypto protocol, I personally don't consider it to be a valid concern because they will with overwhelming odds completely botch it in any case, and usually in a much less subtle way than this. (Actually offhand I can't think of a single non-cryptographer-designed crypto protocol I've seen that wasn't fundamentally broken, often in a fairly obvious way. I could believe there have been a few, but the odds seem very much against it.) -Jack ------------------------------------------------------------ --------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomometzdowd.com

[1-2]

about | contact Other archives ( Real Estate discussion Medical topics )