[147176] in cryptography@c2.net mail archive
Re: [Cryptography] The paranoid approach to crypto-plumbing
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Tue Sep 17 11:41:43 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 17 Sep 2013 11:41:35 -0400
From: "Perry E. Metzger" <perry@piermont.com>
To: Bill Frantz <frantz@pwpconsult.com>
In-Reply-To: <r422Ps-1075i-4BE3ADA34B524F1FAA453CC22455A352@Williams-MacBook-Pro.local>
Cc: Jerry Leichter <leichter@lrw.com>,
"cryptography@metzdowd.com List" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Mon, 16 Sep 2013 17:47:11 -0700 Bill Frantz
<frantz@pwpconsult.com> wrote:
> Authentication is achieved by signing the entire exchange with
> DSA. -- Change the protocol to sign the exchange with both RSA
> and DSA and send and check both signatures.
Remember to generate the nonce for DSA using a deterministic method.
> The current data exchange encryption uses SHA1 in HMAC mode and
> 3DES in CBC mode with MAC then encrypt. The only saving grace is
> that the first block of each message is the HMAC, which will
> make the known plain text attacks on the protocol harder. -- I
> would replace this protocol with one that encrypts twice and
> MACs twice. Using one of the modes which encrypt and MAC in one
> operation as the inner layer is very tempting with a different
> cypher in counter mode and a HMAC as the outer layer.
I confess I'm not sure what the current state of research is on MAC
then Encrypt vs. Encrypt then MAC -- you may want to check on that.
Also, you may want to generate your IVs deterministically from a
block cipher in counter mode, and not actually send them on the wire
-- see earlier discussions for why that is good, but in addition to
assuring the IVs are unpredictable and do not repeat, it prevents a
bad actor from using the IV as a covert channel. (Some would argue
against using CBC mode entirely -- see Rogaway's paper on block
cipher modes.)
Perry
--
Perry E. Metzger perry@piermont.com
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
