| >All of this ignores a significant issue: Are keying and encryption | >(and authentication) mechanisms really independent of each other? I'm | >not aware of much work in this direction. | | Is there much work to be done here? If you view the keyex mechanism | as a producer of an authenticated blob of shared secrecy and the | post-keyex portions (data transfer or whatever you're doing) as a | consumer of said blob, with a PRF as impedance-matcher (as is done by | SSL/TLS, SSH, IPsec, ..., with varying degrees of aplomb, and in a | more limited store-and-forward context PGP, S/MIME, ...), is there | much more to consider? I don't know. Can you prove that your way of looking at it is valid? After all, I can look at encryption as applying a PRF to a data stream, and authentication as computing a keyed one-way function (or something) - so is there anything to prove about whether I can choose and combine them independently? About whether Encrypt-then-MAC and MAC-then-Encrypt are equivalent?
I should think by now that we've learned how delicate our cryptographic primitives can be - and how difficult it can be to compose them in a way that retains all their individual guarantees. -- Jerry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]