[147199] in cryptography@c2.net mail archive
Re: [Cryptography] The paranoid approach to crypto-plumbing
daemon@ATHENA.MIT.EDU (John Kelsey)
Tue Sep 17 19:32:49 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <20130917114135.405b006b@jabberwock.cb.piermont.com>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Tue, 17 Sep 2013 18:21:47 -0400
To: "Perry E. Metzger" <perry@piermont.com>
Cc: Jerry Leichter <leichter@lrw.com>,
"cryptography@metzdowd.com List" <cryptography@metzdowd.com>,
Bill Frantz <frantz@pwpconsult.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sep 17, 2013, at 11:41 AM, "Perry E. Metzger" <perry@piermont.com> wrote:
>
> I confess I'm not sure what the current state of research is on MAC
> then Encrypt vs. Encrypt then MAC -- you may want to check on that.
Encrypt then MAC has a couple of big advantages centering around the idea that you don't have to worry about reaction attacks, where I send you a possibly malformed ciphertext and your response (error message, acceptance, or even time differences in when you send an error message) tells me something about your secret internal state.
> Perry
--John
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
