[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Results of quick survey



Phil Karn writes:
> So unless your encryption algorithm is *free* (not just as cheap
> as the authentication) there is still a good reason to put
> authentication outside encryption.

Uri Blumenthal writes:
# On the other hand, it is considered best to authenticate the
# "final result" date, which is the plaintext.

Does anyone think it might be worthwhile to authenticate _both_ inside and
outside the encryption ?  I.e. HMAC(DES-CBC(HMAC(data)))

This might improve protection against clogging attacks as per Phil, while
authenticating an unambiguous plaintext as suggested by Uri. Howie Weiss
expressed concern earlier about exposing the HMAC result in case the
underlying hash is (partially) cryptanalyzed. The outer HMAC, upon which
the quick anti-clogging protection relies, would be equally vulnerable in
this scheme. But the inner HMAC should be shielded in part against hash
collision attacks, by the covering encryption.

Two immediate problems with this approach are performance degradation for
the sender, and (the big one) complication of the protocol and its analysis.
The receiver could be allowed to choose to ignore the outer HMAC value, thus
avoiding a performance hit by passing up the chance to detect bad packets
early in the processing. Of course this adds complexity to receivers' 
policies.

-Lewis McCarthy
lew@cs.cornell.edu (until June 1)