Re: Proposed changes to ESP (andf a little AH too)

[Lewis McCarthy <lmccarth@cs.umass.edu>]

Uri Blumenthal writes:
> 2. I don't have [at this moment]  an example of how to break this
>    encrypt-first-auth-second scheme.

Let me just toss in another observation on this operation ordering. 
Compared to auth-then-encrypt, I think this order technically makes it 
easier to compile a set of plaintext/ciphertext pairs, because it moves
a potential entropy source outside the encryption. Suppose the 
replay counter is shifted outside the encryption as suggested. If an 
attacker can choose payload data & type values that require no padding, 
then all the plaintext input to the encryption transform is known, and 
of course the resulting ciphertext can be observed. 

On the other hand, with the auth-then-encrypt ordering, the HMAC digest 
forms part of the plaintext input to the encryption transform. The 
attacker presumably can't choose the HMAC digest value, and _may_ be 
unable to verify it at the receiver. Thus the complete plaintext 
corresponding to an observed ciphertext may not be as readily available
to the attacker.

(It also may be easier under some circumstances for the attacker to 
verify unpadded payload data & type values than HMAC digest values,
at the receiver, even when nothing is chosen. The HMAC digest is much
less interesting to higher protocol layers than is the payload, after 
the receiver performs its authentication check.)

-Lewis

---

Follow-Ups:

• Re: Proposed changes to ESP (andf a little AH too)
• From: Stephen Kent <kent@bbn.com>

References:

• Re: Proposed changes to ESP (andf a little AH too)
• From: Uri Blumenthal <uri@watson.ibm.com>

---

• Prev by Date: Re: Proposed changes to ESP (andf a little AH too)
• Next by Date: Re: "Pillage first, then burn" - Attila the Hun
• Prev by thread: Re: Proposed changes to ESP (andf a little AH too)
• Next by thread: Re: Proposed changes to ESP (andf a little AH too)
• Index(es):
  • Main
  • Thread