The Call of the Open Sidewalk

From a place slightly to the side of the more popular path

User Tools

Site Tools

pgpfan:cryptodoom

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

pgpfan:cryptodoom [2023/05/25 19:27] โ€“ created b.walzerpgpfan:cryptodoom [2023/05/25 19:31] (current) โ€“ Typos b.walzer
Line 32: Line 32:
 TCDP precludes MAC then encrypt because that method hides the MAC under the encryption. You have to decrypt first to get at the MAC. What would a principle in the form of TCDP look like that allowed MAC then encrypt? Here is a suitably modified version of TCDP: TCDP precludes MAC then encrypt because that method hides the MAC under the encryption. You have to decrypt first to get at the MAC. What would a principle in the form of TCDP look like that allowed MAC then encrypt? Here is a suitably modified version of TCDP:
  
-**If you have to perform any operation based on the decrypted plain text before verifying the MAC on a message youโ€™ve received, it will somehow inevitably lead to doom.**+**If you have to perform any operation based on the decrypted plain text before verifying the MAC on a message you've received, it will somehow inevitably lead to doom.**
  
 I will dub this the relaxed cryptographic doom principle (TRCDP). Let's apply it to the examples referenced from TCDP. I will dub this the relaxed cryptographic doom principle (TRCDP). Let's apply it to the examples referenced from TCDP.
Line 48: Line 48:
 Generally the way this stuff works is that encrypt then MAC protects the encryption and MAC then encrypt protects the MAC (or whatever is being used as an integrity check). Since the encryption is mostly what we want to protect, doesn't that mean that encrypt then MAC is generically better, even if the threat is low or nonexistent? Well, yes, but the thing is, there are significant advantages to protecting the MAC. Generally the way this stuff works is that encrypt then MAC protects the encryption and MAC then encrypt protects the MAC (or whatever is being used as an integrity check). Since the encryption is mostly what we want to protect, doesn't that mean that encrypt then MAC is generically better, even if the threat is low or nonexistent? Well, yes, but the thing is, there are significant advantages to protecting the MAC.
  
-The big advantage is that if the MAC is protected by the encryption, then you don't even need a MAC. That is why the OpenPGP block cipher mode does not require the use of a MAC. It only requires a non-reversible hash. So that hash is much less likely to cause issues from future discoveries of cryptographic weaknesses. This is am important attribute for a standard like OpenPGP that is expected to be secure for as long as someone keeps encrypted files around or archived messages.+The big advantage is that if the MAC is protected by the encryption, then you don't even need a MAC. That is why the OpenPGP block cipher mode does not require the use of a MAC. It only requires a non-reversible hash. So that hash is much less likely to cause issues from future discoveries of cryptographic weaknesses. This is an important attribute for a standard like OpenPGP that is expected to be secure for as long as someone keeps encrypted files around or archived messages.
  
 If you don't have a MAC then you don't have to generate a separate key for the MAC unrelated to the encryption key. So the result can be simpler. If you don't have a MAC then you don't have to generate a separate key for the MAC unrelated to the encryption key. So the result can be simpler.
pgpfan/cryptodoom.1685042825.txt.gz ยท Last modified: 2023/05/25 19:27 by b.walzer