hey Tor! ;) Colin Percival also had interesting comments re encrypt-then-mac vs others: http://www.daemonology.net/blog/2009-06.html
On Mon, Feb 20, 2012 at 4:54 PM, <[email protected]> wrote: > [ianG, 2012-02-20] >> A good plaintext packet design can push strong variation into the first >> bytes. e.g., the MAC can go at the beginning not the end. It used to be >> customary to put the MAC at the end because hardware calculated it and >> streamed it at the same time, but software doesn't work that way. >> >> (There was a paper suggesting that encrypt-then-mac was better than mac- >> then-encrypt, but I vaguely recall this result only applies under some >> circumstances. Does anyone recall how important this issue was?) > > As I recall it: > > Either mode should be secure in practice if implemented using a secure cipher > and a secure MAC and used correctly. Using Encrypt-then-MAC yields better > provable security properties, see the paper by Bellare and Namprempre for > details (<http://cseweb.ucsd.edu/~mihir/papers/oem.html>) "Authenticated > Encryption: Relations among notions and analysis of the generic composition > paradigm"). > > The main advantage of Encrypt-then-MAC (both in theory and in practice) is > that EtM lets you reject all invalid ciphertexts without having to decrypt. > This both makes the proof easier, and saves you some cycles whenever a bad > packet comes along. > > Cheers, Tor > > ________________________________ > Subject to local law, communications with Accenture and its affiliates > including telephone calls and emails (including content), may be monitored by > our systems for the purposes of security and the assessment of internal > compliance with Accenture policy. > ______________________________________________________________________________________ > > www.accenture.com > > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
