Re: Order of Encryption and Authentication

From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: 12/17/03

• Next message: David Wagner: "Re: IP Level Encryption (kind of long)"
• Previous message: David Wagner: "Re: Order of Encryption and Authentication"
• In reply to: nobody: "Re: Order of Encryption and Authentication"
• Next in thread: Mok-Kong Shen: "Re: Order of Encryption and Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 17 Dec 2003 10:40:33 +0000 (UTC)

nobody wrote:
>b) mac = MAC(key2, plaintext);
> ciphertext = E(key1, plaintext + mac);
> sending "ciphertext"
>
>Here, if the attacker obtains key2, they cannot alter the ciphertext
>undetected (since the plaintext and mac are both encrypted with key1,
>which they don't have).

I don't believe this is correct, in general. I believe it depends
on the particular MAC and encryption algorithm you choose.

>Likewise, if they obtain just key1 they can
>read the message but cannot alter it (as the embedded mac is calculated
>using key2, which they don't have).

This part looks right to me.

---

• Next message: David Wagner: "Re: IP Level Encryption (kind of long)"
• Previous message: David Wagner: "Re: Order of Encryption and Authentication"
• In reply to: nobody: "Re: Order of Encryption and Authentication"
• Next in thread: Mok-Kong Shen: "Re: Order of Encryption and Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)