Cryptographic Doom Principle
210 views
Skip to first unread message
Alan Orth
Sep 15, 2015, 6:11:36 AM9/15/15
to nairobi-gnu
"When it comes to designing secure protocols, I have a principle that goes like this: if you have to perform any cryptographic operation before verifying the MAC on a message you’ve received, it will somehow inevitably lead to doom."
Good discussion (albeit a few years old) from Moxie — author of TextSecure and some other cool stuff like the PPTP VPN cracker[0] — about designing secure protocols, specifically about how to authenticate message contents (aka hashing, to make sure the content wasn't altered).
He comes to the conclusion that the best method is to encrypt-then-MAC. This is what AEAD ciphers like AES-GCM do in TLS, versus doing encryption with AES-CBC and then using SHA1 to authenticate the message. Check the lock icon in Chrome when you're visiting a site that uses HTTPS and you'll see how modern sites like mjanja.ch and google.com use AEAD ciphers that encrypt-then-mac.
Regards,
[0] https://www.cloudcracker.com/
--
Alan Orth
alan...@gmail.com
https://alaninkenya.org
https://mjanja.ch
"In heaven all the interesting people are missing." -Friedrich Nietzsche
alan...@gmail.com
https://alaninkenya.org
https://mjanja.ch
"In heaven all the interesting people are missing." -Friedrich Nietzsche
GPG public key ID: 0x8cb0d0acb5cd81ec209c6cdfbd1a0e09c2f836c0
Reply all
Reply to author
Forward
0 new messages