Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Order of Authentication and Encryption (was: question on MAC)

0 views

Skip to first unread message

J Harper

unread,

Feb 23, 2004, 4:30:46 PM2/23/04

One benefit of encrypting the MAC is that an attacker will have to first
break the encryption and then the MAC to attempt modifying messages
(especially in RC4, as mentioned below). Breaking the encryption grants an
attacker read access to data. Breaking the MAC grants the attacker write
access to the data (albeit blind writes if the encryption remains unbroken).
Usually reading data is less harmful than modifying it (think standard UNIX
file permissions). I recommend the much more detailed analysis of both ways
of ordering from the following book:

8.2 Order of Authentication and Encryption
...
In general, authentication is more important than encryption. We therefore
prefer to expose the encryption function to Eve's direct attacks and protect
the MAC as much as possible.
...
Ferguson, Schneier: Practical Cryptography p. 116
http://www.amazon.com/gp/reader/0471223573/ref=sib_vae_srch/104-9575567-9415
962?v=search-inside&keywords=authentication+is+more+important+than+encryptio
n

J Harper
http://www.peersec.com

----- Original Message -----
From: "Vadim Fedukovich" <v...@unity.net>
To: <opens...@openssl.org>
Sent: Monday, February 23, 2004 12:02 PM
Subject: Re: question on MAC

> On Fri, Feb 20, 2004 at 03:52:00PM -0700, Swaminathan P wrote:
> > Hi,
> > Can someone help me with info on this question?
> > Is there some significance to encrypt the MAC along with the message?
> > Is there some pitfall in leaving the MAC in the cleartext and encrypt
the
> > message alone...
> >
> > thanks,
> > swami
>
> the MAC was introduced to detect modified ciphertext.
> The problem could be introduced best with a stream cipher (RC4)
> that XORs data stream with the key-derived stream.
> Someone might not need to know all the original data but just
> to flip a bit at the known position. The example might be acquirer'
> response regarding authorization status obtained on known-invalid
> credit card data. Without a MAC, one could XOR one bit of the encrypted
> response and have the goods shipped.
> Using MAC on ciphertext, one could let (grant) the power to detect
> such an attack without accessing encrypted data.
> For completeness, one might also use MAC on cleartext: running
> quite a sensitive (sometimes fragile) operation without checking
> the input first.
>
> regards,
> Vadim
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List opens...@openssl.org
> Automated List Manager majo...@openssl.org

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List opens...@openssl.org
Automated List Manager majo...@openssl.org

0 new messages