On the Use of Theoretical Cryptography Jargon in Casual Conversation
OK, this is a PGP advocacy article in that it uses an argument against the current OpenPGP encryption mode seen in the wild but the ideas here are generic and apply whenever theoretical cryptography concepts appear outside of the normal context for such things.
When discussing the OCFB-MDC mode used in OpenPGP to encrypt and protect the integrity of messages/files, jargon from the world of theoretical cryptography will sometimes show up. I will choose an example that will let me make my points in quick succession:
OpenPGP's OCFB-MDC is inferior because it falls into the class of INT-PTXT instead of the class of INT-CTXT.
The validity of theory rests on the assumptions. Let's rework the proceeding statement in terms of those assumptions:
For the case of a MAC (message authentication code) providing specific guarantees used with an encryption scheme providing specific guarantees but acting independently, schemes that fall under the INT-CTXT definition can be guaranteed to be secure. Schemes that fall under the INT-PTXT definition can not be guaranteed to be secure under the same assumptions and definition of secure.
First of all, OCFB-MDC is not a combination of a MAC and an encryption scheme working independently. The OCFB encryption part works in combination with the MDC integrity check. The MDC is not a MAC. The OCFB-MDC is a different sort of scheme. The argument does not apply to begin with, but I still have another point to make. Let's continue…
You receive an encrypted message. You are interested in determining if the message was modified in transit. You could use some sort of integrity check on the encrypted message (INT-CTXT). Alternatively you could wait until after the message is decrypted and then use an integrity check on the decrypted message (INT-PTXT). INT-CTXT is an abbreviation of “integrity of the ciphertext” and INT-PTXT means “integrity of the plaintext”. OCFB-MDC first decrypts the message and then checks the integrity of the decrypted text. So OCFB-MDC falls under the INT-PTXT category.
Nothing in my reworked statement says anything about the ultimate security of of a scheme based on INT-PTXT. It only makes a statement about the security of some INT-CTXT schemes. So OCFB-MDC may or may not be secure but the original statement is not any sort of proof that it is not. So the basic logic does not work for the statement in question.
Note that INT-PTXT schemes like OCFB-MDC are known to be secure based on ideas from theoretical cryptography. One requirement seems to be that the INT-PTXT scheme has to act as a INT-CTXT scheme. That is, any attempt to modify the encrypted material will reliably cause a modification of the decrypted plaintext that will be detected by the integrity check on the plaintext. OCFB-MDC meets this requirement in that a change of any encrypted bit will cause a change in the decrypted plaintext or the integrity check value (hash). Coverage of the encrypted material is complete:
From: The OpenPGP Modification Detection Code is Actually Good
Contrast this with the situation with the AES-CBC mode in SSL/TLS (an INT-PTXT scheme):
Simplified version of Figure 1 from Lucky Thirteen: Breaking the TLS and DTLS Record Protocols
Here the integrity check (hash) coverage does not include an encrypted part of the message called the padding. The AES-CBC mode in SSL/TLS is infamous for trouble with information leaks related to this padding.
Another requirement for a secure INT-PTXT scheme seems to be that the attacker is prevented from generating a valid integrity check value without knowledge of the key. OCFB-MDC meets this requirement as well.
The more general points here are that if you are intending to use concepts from a highly theoretical body of thought to prove something:
- Be sure that the system of thought applies in the first place.
- Be sure that the system of thought actually proves your contention.
- Check to see if there is another system of thought that might cover the case better.
References
This covers the system of thought that the idea that INT-CTXT is inherently better than INT-PTXT came from:
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm
This shows that both a one time pad scheme and a CBC (cipher block chaining) scheme based on INT-PTXT can be made secure:
The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)
This makes the point that requiring knowledge of the key to generate the integrity check value is important for insuring the security of a scheme based on INT-PTXT. This is demonstrated by simply encrypting the last block of a INT-PTXT CBC scheme with a different key and then showing the result is secure.