[Cfrg] Possible RFC: Data integrity combined with encryption
thayes@netscape.com (Terry Hayes) Thu, 19 September 2002 22:01 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA24765 for <cfrg-archive@odin.ietf.org>; Thu, 19 Sep 2002 18:01:35 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id g8JM2wE09746 for cfrg-archive@odin.ietf.org; Thu, 19 Sep 2002 18:02:58 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8JM2wv09743 for <cfrg-web-archive@optimus.ietf.org>; Thu, 19 Sep 2002 18:02:58 -0400
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA24756 for <cfrg-web-archive@ietf.org>; Thu, 19 Sep 2002 18:01:05 -0400 (EDT)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8JM1Qv09695; Thu, 19 Sep 2002 18:01:26 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id g8JM02v09644 for <cfrg@optimus.ietf.org>; Thu, 19 Sep 2002 18:00:02 -0400
Received: from netscape.com (r2d2.netscape.com [205.217.237.47]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA24691 for <cfrg@ietf.org>; Thu, 19 Sep 2002 17:58:07 -0400 (EDT)
Received: from judge.mcom.com (judge.nscp.aoltw.net [10.169.8.47]) by netscape.com (8.10.0/8.10.0) with ESMTP id g8JL9ou20371 for <cfrg@ietf.org>; Thu, 19 Sep 2002 14:09:50 -0700 (PDT)
Received: from h-10-169-25-78.nscp.aoltw.net ([10.169.25.78]) by judge.mcom.com (Netscape Messaging Server 4.15) with ESMTP id H2PH2V02.T2Q for <cfrg@ietf.org>; Thu, 19 Sep 2002 14:59:19 -0700
Date: Thu, 19 Sep 2002 14:59:20 -0700
From: thayes@netscape.com
To: cfrg@ietf.org
Message-ID: <3D8A48B8.9070806@netscape.com>
X-Mailer: Netscape Messenger M9 (powered by Photon [20020917.1])
Organization: Netscape Communications Corp.
MIME-Version: 1.0
Content-Type: TEXT/HTML; CHARSET="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Transfer-Encoding: quoted-printable
Subject: [Cfrg] Possible RFC: Data integrity combined with encryption
Sender: cfrg-admin@ietf.org
Errors-To: cfrg-admin@ietf.org
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Content-Transfer-Encoding: quoted-printable
The current discussion on this list about the security of OpenPGP is covering
an interesting set of topics relating to protocols that try to provide both
encryption and integrity. I think this group could provide valuable information
to IETF by creating an RFC that describes the best current practices in this
area.
Right now it is difficult for designers to get good information on how to
build protocols that provide both encryption and integrity. In fact, some
of the best known sources of information about cryptographic algorithms seem
to provide methods that are now believed to be incorrect. For example, Handbook
of Applied Cryptography (Menezes, van Oorschot and Vanstone) contains a section
in Chapter 9 called "Data integrity using encryption and an MDC". This section
essentially describes the method proposed in OpenPGP. While it does include
remarks about the dangers of using this method with stream ciphers in situations
where there is known plaintext, the overall impression is that it is always
good method when used with block ciphers in CBC mode. The RFC might describe
what steps should to be taken to use this method in a protocol (if it is possible
at all).
The following section in HAC describes including a MAC to provide integrity.
However it describes the method of including the MAC inside the encrypted
data, computed on the plaintext. Hugo Krawczyk's work on the order of encryption
and authentication shows that reversing these might be better. The RFC might
describe the preferred method (encrypt then authenticate) and indicate when
it would be safe or more appropriate to do something else (if ever).
I have quite often heard the mantra "sign and then encrypt". Applying this
rule leads to designs like authenticate-then-encrypt. The RFC might describe
situations where signing first is important, and distinguish them from the
cases where encrypt-then-authenticate is the preferred thing to do.
Finally, there are new modes under consideration (such as OCB and CCM) that
provide both encryption and integrity. The RFC might mention these new modes,
and possibly recommend one that should be used.
I would find an RFC that covers these issues very useful. What do others
think?
Terry Hayes
thayes@netscape.com
_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg
- [Cfrg] Possible RFC: Data integrity combined with… Terry Hayes
- Re: [Cfrg] Possible RFC: Data integrity combined … Mihir Bellare
- Re: [Cfrg] Possible RFC: Data integrity combined … Aram Perez
- [Cfrg] Possible RFC: Data integrity combined with… Mok-Kong Shen
- Re: [Cfrg] Possible RFC: Data integrity combined … Helger Lipmaa
- [Cfrg] Possible RFC: Data integrity combined with… Mok-Kong Shen
- Re: [Cfrg] Possible RFC: Data integrity combined … Anton Stiglic
- Re: [Cfrg] Possible RFC: Data integrity combined … csjutla
- Re: [Cfrg] Possible RFC: Data integrity combined … Mok-Kong Shen
- Re: [Cfrg] Possible RFC: Data integrity combined … Mok-Kong Shen
- Re: [Cfrg] Possible RFC: Data integrity combined … Housley, Russ