David-Sarah Hopwood wrote: > - If the encryption used to produce k_enc is not an authenticated > encryption scheme, then an attacker can potentially modify k_enc, > and now an incorrect key k will be used for the decryption > (possibly one that is related to the correct key). This means > that an incorrect plaintext will be produced and accepted, > assuming that the main encryption algorithm is also not > authenticated. The check that r = H(k, v) will not catch this > since it only verifies the ciphertext.
Sorry, I'm talking nonsense. The incorrect k *will* be caught by the check on H(k, v). OTOH, that depends on there being no interaction between the k_enc encryption and the hash. So it does seem as though a security proof may be easier if the k_enc encryption is authenticated. -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
