If I'm not mistaken, the OpenSSL spec says that you should MAC the (compressed) message, and then encrypt the message and the MAC. This composition is not generically secure, on the other hand you can prove some nice things about the composition encrypt-then- MAC assuming certain conditions, see for example David Wagner's post on sci.crypt for a discussion about that:
http://groups.google.ca/groups?q=sci.crypt+encrypt+then+authenticate+Wagner& hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=aj77jo%241ko%241%40agate.berkeley.edu&rnum= 1 (using CBC-DES with a random IV and then HMAC, with a KDF that derives independent keys for the encryption and the MACing (the KDF in SSL looks like it can do this) would satisfy these conditions.) I now always recommend encrypt-then-MAC. If SSL required encrypt-then-MAC, a programmer would more naturally start by verifying the MAC, then decrypt the message, so Vaudenay's attack would be caught first by the MAC verification and the implementation would probably return an error after the MAC verification and not leak the information needed to discover the plaintext. So even though the attack is not directly the result of the SSL protocol spec, a spec which would favor encrypt-then-MAC would be better in my point of view and the security holes relating to this SSLattack in implementations might have much less of a chance of existing. --Anton --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]