pgpfan:cryptodoom
Differences
This shows you the differences between two versions of the page.
pgpfan:cryptodoom [2023/05/25 19:27] โ created b.walzer | pgpfan:cryptodoom [2023/05/25 19:31] (current) โ Typos b.walzer | ||
---|---|---|---|
Line 32: | Line 32: | ||
TCDP precludes MAC then encrypt because that method hides the MAC under the encryption. You have to decrypt first to get at the MAC. What would a principle in the form of TCDP look like that allowed MAC then encrypt? Here is a suitably modified version of TCDP: | TCDP precludes MAC then encrypt because that method hides the MAC under the encryption. You have to decrypt first to get at the MAC. What would a principle in the form of TCDP look like that allowed MAC then encrypt? Here is a suitably modified version of TCDP: | ||
- | **If you have to perform any operation based on the decrypted plain text before verifying the MAC on a message youโve received, it will somehow inevitably lead to doom.** | + | **If you have to perform any operation based on the decrypted plain text before verifying the MAC on a message you've received, it will somehow inevitably lead to doom.** |
I will dub this the relaxed cryptographic doom principle (TRCDP). Let's apply it to the examples referenced from TCDP. | I will dub this the relaxed cryptographic doom principle (TRCDP). Let's apply it to the examples referenced from TCDP. | ||
Line 48: | Line 48: | ||
Generally the way this stuff works is that encrypt then MAC protects the encryption and MAC then encrypt protects the MAC (or whatever is being used as an integrity check). Since the encryption is mostly what we want to protect, doesn' | Generally the way this stuff works is that encrypt then MAC protects the encryption and MAC then encrypt protects the MAC (or whatever is being used as an integrity check). Since the encryption is mostly what we want to protect, doesn' | ||
- | The big advantage is that if the MAC is protected by the encryption, then you don't even need a MAC. That is why the OpenPGP block cipher mode does not require the use of a MAC. It only requires a non-reversible hash. So that hash is much less likely to cause issues from future discoveries of cryptographic weaknesses. This is am important attribute for a standard like OpenPGP that is expected to be secure for as long as someone keeps encrypted files around or archived messages. | + | The big advantage is that if the MAC is protected by the encryption, then you don't even need a MAC. That is why the OpenPGP block cipher mode does not require the use of a MAC. It only requires a non-reversible hash. So that hash is much less likely to cause issues from future discoveries of cryptographic weaknesses. This is an important attribute for a standard like OpenPGP that is expected to be secure for as long as someone keeps encrypted files around or archived messages. |
If you don't have a MAC then you don't have to generate a separate key for the MAC unrelated to the encryption key. So the result can be simpler. | If you don't have a MAC then you don't have to generate a separate key for the MAC unrelated to the encryption key. So the result can be simpler. |
pgpfan/cryptodoom.1685042825.txt.gz ยท Last modified: 2023/05/25 19:27 by b.walzer