[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: compression, privacy, and authenticity transforms





Hi, Russ.  You write:

 >  We can take advantage of the properties of the 
 > encryption algorithm and mode to reduce the requirements on the complexity 
 > of the integrity mechanism iff the integrity check value is protected by 
 > the encryption.  

But I believe that every time a "more efficient" integrity-using-encryption 
mechanism has been suggested, it does not actually work.  (As a well-known 
example, adding a simple Modification Detection Code (MDC) (like a CRC) in the 
scope of DES-CBC encrypted text won't somehow make "authenticated" the message.) 

 > This also means that one key can be used to provide 
 > confidentiality and integrity.

You should not use the same *operational* key to encrypt and authenticate
a message.  If you do this, for many pairs of mechanisms, the encryption
(resp., authentication) essentially invalidates the authentication 
(resp., encryption).  Nonetheless ...

 > The reduced computation and reduced key management complexity make this 
 > type of combination very attractive.

There is no extra key management cost involved in doing the right thing.  
Only one key needs to be distributed.   Each mechanism uses its own 
"key variant."   Key variants are produced with no significant overhead.



Phil