Re: Signatures and encryption headers



On 11. Nov, 06:18 h., d...@xxxxxxxxxxxxxxxxxxxxxxxx (David Wagner)
wrote:
This is known as authenticate-then-encrypt.  Unfortunately it is not
generically secure, meaning that for some encryption methods it is OK but
for some others it is not OK.  Hugo Krawczyk has a paper at CRYPTO on EtA:
it's an eye-opener.  He gives an example of an encryption algorithm that
provides confidentiality (securely) but where authenticate-then-encrypt
is not secure due to the existence of a crazy reaction attack.  It's
pretty wild.  The particular example he gives is artificial but it
illustrates that AtE isn't necessarily secure, so one should be
cautious.  It might be OK for real-world encryption schemes but I'm
not 100% sure about that; I don't know what kind of analysis has been
done.  And in practice maybe we could decide that chosen-ciphertext
attacks are pretty rare so maybe we're arguing over how many angels
can dance on the head of a pin (at least compared to other threats).

Just to be sure did you mean "The Order of Encryption and
Authentication for Protecting Communications (or: How Secure Is
SSL?)." (http://www.iacr.org/archive/crypto2001/21390309.pdf) or are
you reffering to other paper?

Best regards

Martin
.