At 12:46 PM 2/21/03 -0500, Anton Stiglic wrote: ...
If SSL required encrypt-then-MAC, a programmer would more naturally start by verifying the MAC, then decrypt the message, so Vaudenay's attack would be caught first by the MAC verification and the implementation would probably return an error after the MAC verification and not leak the information needed to discover the plaintext.
This works as long as the data the MAC is computed over includes everything needed to decrypt the message. If there's context that's not included in the MAC, you can end up accepting a different plaintext than the one that was sent. (That should be obvious, but I've seen it messed up once or twice.)
So even though the attack is not directly the result of the SSL protocol spec, a spec which would favor encrypt-then-MAC would be better in my point of view and the security holes relating to this SSLattack in implementations might have much less of a chance of existing.
I think this is a good general principle, for the same reason. If you MAC the ciphertext, then the designer of the protocol has some extra work to do, proving that there's no way to accept the MAC but get a different plaintext than was sent. If you MAC the plaintext, then the implementors have extra work to do, which won't be nearly as well reviewed or understood as the protocol.
--Anton
--John Kelsey, [EMAIL PROTECTED]
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
