On Oct 12, 2013, at 6:51 AM, Ben Laurie <b...@links.org> wrote:
> AIUI, you're trying to make it so that only active attacks work on the
> combined protocol, whereas passive attacks might work on the outer
> protocol. In order to achieve this, you assume that your proposed
> inner protocol is not vulnerable to passive attacks (I assume the
> outer protocol also thinks this is true). Why should we believe the
> inner protocol is any better than the outer one in this respect?

The point is, we don't know how to make protocols that really are reliably 
secure against future attacks.  If we did, we'd just do that. 

My hope is that if we layer two of our best attempts at secure protocols on top 
of one another, then we will get security because the attacks will be hard to 
get through the composed protocols.  So maybe my protocol (or whatever inner 
protocol ends up being selected) isn't secure against everything, but as long 
as its weaknesses are covered up by the outer protocol, we still get a secure 
final result.  

One requirement for this is that the inner protocol must not introduce new 
weaknesses.  I think that means it must not:

a.  Leak information about its plaintexts in its timing, error messages, or 
ciphertext sizes.  

b.  Introduce ambiguities about how the plaintext is to be decrypted that could 
mess up the outer protocol's authentication.  

I think we can accomplish (a) by not compressing the plaintext before 
processing it, by using crypto primitives that don't leak plaintext data in 
their timing, and by having the only error message that can ever be generated 
from the inner protocol be essentially a MAC failure or an out-of-sequence 

I think (b) is pretty easy to accomplish with standard crypto, but maybe I'm 
missing something.  

> Particularly since you're using tainted algorithms ;-).

If using AES or P256 are the weak points in the protocol, that is a big win.  
Right now, we aren't getting anywhere close to that.  And there's no reason 
either AES or P256 have to be used--I'm just looking for a simple, lightweight 
way to get as much security as possible inside some other protocol.  


The cryptography mailing list

Reply via email to