On Sep 17, 2013, at 6:21 PM, John Kelsey <crypto....@gmail.com> wrote:
>> I confess I'm not sure what the current state of research is on MAC
>> then Encrypt vs. Encrypt then MAC -- you may want to check on that.
>
> Encrypt then MAC has a couple of big advantages centering around the idea
> that you don't have to worry about reaction attacks, where I send you a
> possibly malformed ciphertext and your response (error message, acceptance,
> or even time differences in when you send an error message) tells me
> something about your secret internal state.
On a purely practical level, to reject a damaged message, with decrypt-then-MAC
(ordering things on the receiver's side...) I have to pay the cost of a
decryption plus a MAC computation; with MAC-then-decrypt, I only pay the cost
of the MAC. On top of this, decryption is often more expensive than MAC
computation. So decrypt-then-MAC makes DOS attacks easier.
One could also imagine side-channel attacks triggered by chosen ciphertext.
Decrypt-then-MAC allows an attacker to trigger them; MAC-then-decrypt does not.
(Attacks on MAC's seems somewhat less likely to be data dependent, but who
knows for sure. In any case, even if you had such an attack, it would get you
the authentication key - and at that point you would be able to *start* your
attack not the decryption key.
MAC'ing the actual data always seemed more "logical" to me, but once you look
at the actual situation, it no longer seems like the right thing to do.
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
