Re: Signatures and encryption headers
- From: daw@xxxxxxxxxxxxxxxxxxxxxxxx (David Wagner)
- Date: Fri, 7 Nov 2008 21:25:53 +0000 (UTC)
Fabrice wrote:
With EAX or CCM, you still need some way to communicate the session
key used, the underlying block cipher and maybe the other parameters
that the CCM specs calls "Prerequisites", (if there are not fixed by
the system)
My question is basically, does those prerequisites needs to be
authenticated and/or confidential ?
I believe they all need to be authenticated. (I don't have
a particular attack in mind if they are not, but if you fail to
authenticate them you "void the security warranty": for instance,
the proofs of security will probably no longer apply. You could
imagine that one kind of attack that might be possible is a
downgrade attack, where the attacker replaces your choice of a
strong block cipher with a weaker one. At least in principle,
there might be more sophisticated attacks possible -- or at least,
I believe the existing proofs of security do not rule out such a
possibility.)
I believe that only the session key needs to have its
confidentiality protected.
.
- Follow-Ups:
- Re: Signatures and encryption headers
- From: Fabrice
- Re: Signatures and encryption headers
- References:
- Signatures and encryption headers
- From: Fabrice
- Re: Signatures and encryption headers
- From: Fabrice
- Re: Signatures and encryption headers
- From: Kristian Gjøsteen
- Re: Signatures and encryption headers
- From: Fabrice
- Signatures and encryption headers
- Prev by Date: Re: Signatures and encryption headers
- Next by Date: Re: Reverse engineering the Wiimote's encryption
- Previous by thread: Re: Signatures and encryption headers
- Next by thread: Re: Signatures and encryption headers
- Index(es):
Relevant Pages
|
