|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
X-Original-To: cryptography@metzdowd.com X-Original-To: cryptography@metzdowd.com X-Envelope-To: cryptography@metzdowd.com To: cryptography@metzdowd.com From: daw@mozart.cs.berkeley.edu (David Wagner) Date: 31 May 2003 15:54:26 GMT X-Complaints-To: news@abraham.cs.berkeley.edu Eric Rescorla wrote: >E(M) || H(M) -> This is still quite dangerous. If the attacker > can somehow reset the IV, then they can mount > an attack on the first cipher block. Also, it can violate confidentiality. If M is guessable, the guess can be confirmed using H(M). >E(M || H(M)) -> This is hard to attack with block ciphers, but > easy with stream ciphers. Even for block ciphers, it's vulnerable against chosen-message attack, although I agree this weakness may be more or less theoretical. I certainly agree with all your comments. I can't imagine why they invented their own crypto, rather than just using SSL. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |