From: "David Wagner" <d...@cs.berkeley.edu>
Sent: Wednesday, September 16, 2009 5:19 PM
To: <cryptography@metzdowd.com>
Subject: Re: Detecting attempts to decrypt with incorrect secret key in OWASP ESAPI

I don't exactly follow the argument for using CCM mode instead
AES-CBC encryption followed by AES-CMAC, and I'm not familiar with
the political/perception arguments (who complains about the latter?),
but whatever.

I've actually had a few clients ask for a more detailed explaination of why it is ok, so there are people who are confused. Some people get confused.

It's hardly worth arguing over.  The cryptographic mode
of operation is unlikely to be the weakest link in your system, and the
security differences between CCM mode vs AES-CBC + AES-CMAC seem minor,
so it doesn't seem worth worrying too much about it: CCM mode seems good
enough.  I'm not sure I'm familiar with the arguments against EAX mode
(full disclosure: I'm a co-author on the EAX paper and hence probably
biased), but again, whatever.

Actually I think EAX great, and if I had known you were replying while I was writing mine I wouldn't have replied at all. My problem is that I haven't taken the time to look over the patents on bordering technologies to see if I believe it is patent safe. Lately, I've been dealing with a lot of patent weirdness, so I'm more aware of patent issues.


Joseph Ashwood wrote:
Since you already have CBC available, my first suggestion would be CBC-MAC (IV = 0x0000000, okcs5 padding works fine, MAC = final block of ciphertext),
it has good strong security proofs behind it, and is fast. [...]

Are you sure?  For vanilla CBC-MAC, the security proofs don't apply to
variable-length messages, and I recall that there are known attacks on
vanilla CBC-MAC when message lengths can vary (I'm not claiming those
attacks are necessarily realistic in all applications, but they may be).
AES-CMAC is a nice design that addresses this problem.  CMAC is based
upon CBC-MAC, but addresses the imperfections of vanilla CBC-MAC.

I could try and justify my position, but honestly, CMAC really doesn't any real downsides, and the proof is tighter.

(I moved this down here)

These three choices are all good enough and
the security differences between them seem minor.  In my view, choosing
any of the three would be a reasonable choice.  Just my personal opinion.

As opinions go, its hard to find a better source than David Wagner.

BTW: Anyone looking to make a venture capital investment?
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to