I don't believe MtE is good advice, and I have yet to see a
decent reason
why one would want to use that instead of EtM.
Of course when we talk about EtM, the MAC should be applied
over all
plaintext headers and trailers (including IV used for
encryption, algorithm
identifier, protocol version, whatever).
Allot of attacks could have been prevented with EtM,
including the Vaudenay
padding attack, the Chosen-Ciphertext Attacks against PGP
and other email
encryption protocols described by Schneier, Katz and Jallad
http://www.schn
eier.com/paper-pgp.pdf
as well as the attacks on Host Security Modules key blocks
(well in this
case the bad was simply that their were to integrity checks,
2 key
Triple-DES keys were protected by a master triple-DES key by
encrypted the
left part and right part independently) and other such types
as described by
Clulow and others
http://www.c
l.cam.ac.uk/~jc407/Chap3.pdf
Ferguson gave an explanation why in his book with Schneier
they recommend
MtE
http://groups.google.ca/group/sci.cr
ypt/msg/1a0e0165c48e4fe4?q=g:thl19936885
73d&dq=&hl=en&lr=&ie=UTF-8&oe=UTF-8
But the arguments he gives pertain to other problems; see
for example the
comments given by Wagner which I agree with
http://groups.google.ca/group/sci.cr
ypt/msg/532fdfb5edca19a8?q=g:thl24955674
08d&dq=&hl=en&lr=&ie=UTF-8&oe=UTF-8
I had come up with a list of advices for crypto
implementation some time ago
myself. These included (from memory)
- Use good RNGs, even for things other than the generation
of keys (such as
for generating IVs, challenges, etc.)
- Use standard algorithms, and use them in secure ways
(choose a good mode
of encryption, adequate key sizes, pick the IVs the way you
are supposed to
securely, usually either randomly or for counters make sure
you have no
repeats)
- Use standard protocols (don't try to re-invent TLS or
IPSec)
- Encrypt then authenticate over ciphertext and all
plaintext headers and
trailers.
- Use independent keys for different functionalities. If
needed, derive
independent keys based on a single secret using a good key
derivation
function.
- Limit the amount of time you handle secrets (zeroize after
use...)
- Don't let yourself be used as a random oracle (I think
Ross Anderson said
it this way first), this includes limiting information that
is leaked about
errors, avoiding timing attacks and such (this is hard to do
in practice).
--Anton
--
Internal Virus Database is out-of-date.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.1/250 - Release
Date: 03/02/2006
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe
cryptography" to majordomo metzdowd.com
|