OCB mode[1] is a CCA-secure[2] mode of encryption which means that it's secure against active attackers, which pretty much applies to anything on the internet. By contrast, non-authenticated encryption (anything without a MAC, e.g. AES-CBC, AES-CTR) is only CPA-secure[3] and breaks under an active attacker.
You can build CCA-secure schemes by combining Enc() and Mac() operations (with different keys!). Enc(M)||Mac(Enc(M)) is generally secure; Enc(M||Mac(M)) and Enc(M)||Mac(M) can have security problems, the latter being more likely to be insecure. However, OCB is apparently faster than schemes that do authentication/encryption separately. It used to be patent-encumbered, but as of January 2013, the creator is giving an exception to open source projects.[4] I'm not sure if any of this was taken into consideration by whoever originally did the crypto for Freenet, and I haven't looked into the implementation in great detail to see if we are doing Enc_k1(M)||Mac_k2(Enc(M)) everywhere, as opposed to one of the other less secure options. Hopefully someone who did the crypto for freenet can comment further. X [1] http://en.wikipedia.org/wiki/OCB_mode [2] http://en.wikipedia.org/wiki/Chosen-ciphertext_attack [3] http://en.wikipedia.org/wiki/Chosen-plaintext_attack [4] http://www.cs.ucdavis.edu/~rogaway/ocb/license.htm _______________________________________________ Devl mailing list [email protected] https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
