[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Proposed changes to ESP (andf a little AH too)
Uri Blumenthal writes:
> 2. I don't have [at this moment] an example of how to break this
> encrypt-first-auth-second scheme.
Let me just toss in another observation on this operation ordering.
Compared to auth-then-encrypt, I think this order technically makes it
easier to compile a set of plaintext/ciphertext pairs, because it moves
a potential entropy source outside the encryption. Suppose the
replay counter is shifted outside the encryption as suggested. If an
attacker can choose payload data & type values that require no padding,
then all the plaintext input to the encryption transform is known, and
of course the resulting ciphertext can be observed.
On the other hand, with the auth-then-encrypt ordering, the HMAC digest
forms part of the plaintext input to the encryption transform. The
attacker presumably can't choose the HMAC digest value, and _may_ be
unable to verify it at the receiver. Thus the complete plaintext
corresponding to an observed ciphertext may not be as readily available
to the attacker.
(It also may be easier under some circumstances for the attacker to
verify unpadded payload data & type values than HMAC digest values,
at the receiver, even when nothing is chosen. The HMAC digest is much
less interesting to higher protocol layers than is the payload, after
the receiver performs its authentication check.)
-Lewis
Follow-Ups:
References: