On Sep 17, 2013, at 7:18 PM, Jerry Leichter wrote:
> On Sep 17, 2013, at 6:21 PM, John Kelsey <[email protected]> wrote:
>>> I confess I'm not sure what the current state of research is on MAC
>>> then Encrypt vs. Encrypt then MAC -- you may want to check on that.
>>
>> Encrypt then MAC has a couple of big advantages centering around the idea
>> that you don't have to worry about reaction attacks, where I send you a
>> possibly malformed ciphertext and your response (error message, acceptance,
>> or even time differences in when you send an error message) tells me
>> something about your secret internal state.
> On a purely practical level, to reject a damaged message, with
> decrypt-then-MAC (ordering things on the receiver's side...) I have to pay
> the cost of a decryption plus a MAC computation; with MAC-then-decrypt, I
> only pay the cost of the MAC. On top of this, decryption is often more
> expensive than MAC computation. So decrypt-then-MAC makes DOS attacks easier.
>
> One could also imagine side-channel attacks triggered by chosen ciphertext.
> Decrypt-then-MAC allows an attacker to trigger them; MAC-then-decrypt does
> not. (Attacks on MAC's seems somewhat less likely to be data dependent, but
> who knows for sure. In any case, even if you had such an attack, it would
> get you the authentication key - and at that point you would be able to
> *start* your attack not the decryption key.
People have made these attacks mildly practical (and note how old this and the
cited paper are).
http://kebesays.blogspot.com/2010/11/mac-then-encrypt-also-harmful-also-hard.html
Dan
_______________________________________________
The cryptography mailing list
[email protected]
http://www.metzdowd.com/mailman/listinfo/cryptography
