> Don't forget Bleichenbacher's error channel attack on SSL > implementations, which focussed on the mac then encrypt design of > SSL... web servers gave different error for malformed padding vs > plaintext MAC failure. The lesson I drew from that is the > conservative choice is encrypt then MAC.
Bleichenbacher's attack focused on RSA PKCS#1 decryption. You're thinking of Vaudenay's, which focused on CBC padding errors. There are other lessons to draw too, most notably: don't ever let the sender know the reason why a decryption-and-authentication failed. William --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]