One benefit of encrypting the MAC is that an attacker will have to first break the encryption and then the MAC to attempt modifying messages (especially in RC4, as mentioned below). Breaking the encryption grants an attacker read access to data. Breaking the MAC grants the attacker write access to the data (albeit blind writes if the encryption remains unbroken). Usually reading data is less harmful than modifying it (think standard UNIX file permissions). I recommend the much more detailed analysis of both ways of ordering from the following book:
8.2 Order of Authentication and Encryption ... In general, authentication is more important than encryption. We therefore prefer to expose the encryption function to Eve's direct attacks and protect the MAC as much as possible. ... Ferguson, Schneier: Practical Cryptography p. 116 http://www.amazon.com/gp/reader/0471223573/ref=sib_vae_srch/104-9575567-9415 962?v=search-inside&keywords=authentication+is+more+important+than+encryptio n J Harper http://www.peersec.com ----- Original Message ----- From: "Vadim Fedukovich" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, February 23, 2004 12:02 PM Subject: Re: question on MAC > On Fri, Feb 20, 2004 at 03:52:00PM -0700, Swaminathan P wrote: > > Hi, > > Can someone help me with info on this question? > > Is there some significance to encrypt the MAC along with the message? > > Is there some pitfall in leaving the MAC in the cleartext and encrypt the > > message alone... > > > > thanks, > > swami > > the MAC was introduced to detect modified ciphertext. > The problem could be introduced best with a stream cipher (RC4) > that XORs data stream with the key-derived stream. > Someone might not need to know all the original data but just > to flip a bit at the known position. The example might be acquirer' > response regarding authorization status obtained on known-invalid > credit card data. Without a MAC, one could XOR one bit of the encrypted > response and have the goods shipped. > Using MAC on ciphertext, one could let (grant) the power to detect > such an attack without accessing encrypted data. > For completeness, one might also use MAC on cleartext: running > quite a sensitive (sometimes fragile) operation without checking > the input first. > > regards, > Vadim > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
