On Mon, 16 Sep 2013 17:47:11 -0700 Bill Frantz <fra...@pwpconsult.com> wrote: > Authentication is achieved by signing the entire exchange with > DSA. -- Change the protocol to sign the exchange with both RSA > and DSA and send and check both signatures.
Remember to generate the nonce for DSA using a deterministic method. > The current data exchange encryption uses SHA1 in HMAC mode and > 3DES in CBC mode with MAC then encrypt. The only saving grace is > that the first block of each message is the HMAC, which will > make the known plain text attacks on the protocol harder. -- I > would replace this protocol with one that encrypts twice and > MACs twice. Using one of the modes which encrypt and MAC in one > operation as the inner layer is very tempting with a different > cypher in counter mode and a HMAC as the outer layer. I confess I'm not sure what the current state of research is on MAC then Encrypt vs. Encrypt then MAC -- you may want to check on that. Also, you may want to generate your IVs deterministically from a block cipher in counter mode, and not actually send them on the wire -- see earlier discussions for why that is good, but in addition to assuring the IVs are unpredictable and do not repeat, it prevents a bad actor from using the IV as a covert channel. (Some would argue against using CBC mode entirely -- see Rogaway's paper on block cipher modes.) Perry -- Perry E. Metzger pe...@piermont.com _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
