
Using Encryption and Authentication Correctly - paragon_init
https://paragonie.com/blog/2015/05/using-encryption-and-authentication-correctly?resubmit=true
======
tptacek
This is good. I'd move the "Cryptographic Doom Principle" earlier in the
article. I'd make it clearer that even though "encryption" and
"authentication" provide two different "services", _you can 't have encryption
without message authentication_. Also: I'd consider developing examples with
CTR instead of CBC.

~~~
kkl
Why would you prefer CTR over CBC (assuming properly authenticated)? The only
benefit I could think of is performance.

~~~
paragon_init
CTR saves you the trouble of padding your plaintext before encrypting, thus
eliminating an entire class of cryptography attacks (i.e. padding oracles).
The security margins of CBC and CTR are otherwise similar.

GCM is far more preferred to either CBC or CTR because it's less for the
implementer to screw up.

NaCl's ChaCha20-Poly1305 is even better, because it's fast and constant-time.

'cperciva made the CTR+HMAC recommendation here:
[http://www.daemonology.net/blog/2009-06-11-cryptographic-
rig...](http://www.daemonology.net/blog/2009-06-11-cryptographic-right-
answers.html)

Properly authenticated encryption that uses CBC+HMAC-SHA2 with PKCS7 padding
is probably okay, but new developments _should_ prefer AEAD modes above all
else, and CTR+HMAC-SHA2 if no AEAD modes are available.

(The kind folks in ##crypto on freenode have pointed out to me that CTR also
allows random-access decryption, where CBC mode does not. We haven't ever
implemented this feature and cannot comment on it.)

~~~
tptacek
Be very careful with random-access CTR.

~~~
wolf550e
Could you please point to an explanation why random access CTR decryption is
dangerous? Or why it's more or less secure than random access CBC decryption?

Or is random access CTR encryption dangerous? I don't see how, unless you
reuse the keystream / make it a two-time pad.

~~~
paragon_init
[https://www.imperialviolet.org/2014/06/27/streamingencryptio...](https://www.imperialviolet.org/2014/06/27/streamingencryption.html)

Thomas's answer probably has to do with the risks of decrypting a stream and
being unable to authenticate it first. (See also: the Cryptographic Doom
Principle.)

~~~
wolf550e
But it is still safe to do random access AES-CTR if you've already checked the
MAC. Random access is not a problem, decrypting before authenticating is a
problem.

~~~
paragon_init
I think that's why the statement was "be careful with" rather than "don't"

------
ignoramous
crypto.stackex has an interesting discussion on EtM and MtE:
[http://crypto.stackexchange.com/questions/202/should-we-
mac-...](http://crypto.stackexchange.com/questions/202/should-we-mac-then-
encrypt-or-encrypt-then-mac) One interesting take away was, Bruce Schneier is
of opinion that MtE (Cryptographic Doom acc to Moxie) is more practical than
EtM.

Interesting to note that different security protocols on the Internet prefer
different schemes:

    
    
        1. SSH does Encrypt and MAC
        2. SSL uses MtE
        3. IPSec prefers EtM
    

Also see: Authenticating users over REST
[http://restcookbook.com/Basics/loggingin/](http://restcookbook.com/Basics/loggingin/)
which glances at the details not covered by the blog post (using nonce to
prevent replay attacks, for instance).

~~~
tptacek
Bruce Schneier was wrong about MtE. This isn't so much a matter of opinion as
it is (a) the currently prevailing theory in academic cryptography, at least
when it comes to generic composition, and (b) the clear verdict of the last 10
years of crypto vulnerabilities.

Just writing this to be clear: it's not a debate. Ignore Schneier on this. In
his defense: the most notable things he wrote about MtE were written before
this was well-understood.

~~~
zx2c4
Actually Rogaway's new AEZ proposal for CAESAR has a sort of MtE:
[http://web.cs.ucdavis.edu/~rogaway/aez/aez.pdf](http://web.cs.ucdavis.edu/~rogaway/aez/aez.pdf)

The "MAC" here is just a block of zeros, and if decryption successfully
reveals such a block of zeros, then it's deemed authentic.

This is a pretty specific quality to their construction though, and it doesn't
really work elsewhere.

~~~
tptacek
Yep. "Generic composition" (taking independently designed MACs and cipher
modes and rolling your own AE) is my cop-out in case 'pbsd shows up to correct
me.

Generally, though, and without intending snark:

If you're discussing MTE v ETM, and Bruce Schneier comes up, the answer is
ETM.

