[Cryptography Team] Re: KryptOn MakoEnvelope
signedAndSealedFrom:to:object:
Tony Garnock-Jones
tonyg at lshift.net
Tue Jan 10 14:38:13 CET 2006
Hi Chris,
ECB, CTR ("Counter"), EAX and GGM are all modes of operation for block
ciphers. This wikipedia page
http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation provides a
good overview of the different modes, and why ECB is a bad choice, and
why an AEAD mode (near the bottom of the page) is better than a
non-authenticating mode.
(I was particularly struck by the spectacular failure of ECB mode to
encrypt the sample image!)
With specific reference to a Mako signed-sealed envelope, probably the
best thing to do is to perform the public-key signing operation on the
original data, and then encrypt-and-MAC the signed data as a separate
step. The thing to do is to change the way envelopes are sealed (the
signing process can be left alone) to be an encrypt-and-MAC operation
rather than a simple encrypt-only operation with no integrity
protection. For instance, Rijndael in EAX or GGM mode would do nicely
for the enciphering step.
Another thing to watch out for is the key-exchange protocol, which can
be really sensitive.
Cheers,
Tony
Chris Muller wrote:
> Hi Tony, it may very well be the other way around. I
> am honestly no encryption expert, just a skilled
> implementor. I will try to find the web reference
> that recommended that.
>
> As for ECB, I'm sorry I have no idea what that means.
> This is exactly the kind of critique I need your guys'
> help with. I am hoping that the usage and management
> are mostly ok, but there may be some tightening needed
> in the cryptography layer.
>
> This is a very worthy discussioon for the cryptography
> list, I hope you don't mind that I have copied that
> list here.
>
> Cheers,
> Chris
>
> --- Tony Garnock-Jones <tonyg at lshift.net> wrote:
>
>> Hi Chris,
>>
>> In the comment to method MakoEnvelope
>> class>>signedAndSealedFrom:to:object:, you write
>> "Security experts
>> recommend putting the signed inside the sealed".
>>
>> Isn't it the other way around? According to
>> http://www-cse.ucsd.edu/users/mihir/papers/oem.html
>> the least insecure
>> method is to encrypt, then MAC.
>>
>> Also: On digging into the implementation of
>> enciphering, it looks like
>> the default cipher, Rijndael, is being used in ECB
>> mode. Have I analysed
>> that correctly? (If so, there are other modes that
>> might be better: AEAD
>> modes such as EAX or GGM; at a minimum, CTR, but an
>> AEAD mode would be
>> better, of course)
>>
>> Regards,
>> Tony
--
[][][] Tony Garnock-Jones | Mob: +44 (0)7905 974 211
[][] LShift Ltd | Tel: +44 (0)20 7729 7060
[] [] http://www.lshift.net/ | Email: tonyg at lshift.net
More information about the Cryptography
mailing list