Not IND-CCA secure #4
Comments
|
Thanks, was about to open a similar issue when I noticed this one. As far as I can tell from the sourcecode MAC-then-encrypt is used: https://github.com/moxie0/knockknock/blob/master/knockknock/CryptoEngine.py#L49-52 This could easily be changed to an ETM scheme, is @moxie0 accepting pull requests for that? As a further reference, a current IETF draft on ETM for TLS by Peter Gutmann: https://tools.ietf.org/html/draft-ietf-tls-encrypt-then-mac |
|
Might it make sense to just use GCM? |
|
Yes. as would switching to cryptography (https://cryptography.io/). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The README specifies IND-CCA as a requirement and states that the implementation uses "authenticate-then-encrypt" to obtain authenticated encryption. Indeed, the code in CryptoEngine.encrypt() computes an HMAC, concatenates it with the plaintext, and encrypts the result. The problem is, MAC-then-encrypt is not IND-CCA secure. To achieve IND-CCA, encrypt-then-MAC should be used. See [1] for details. Figure 2 gives a nice summary of their results.
[1] M. Bellare and C. Namprempre. Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm. Advances in Cryptology - Asiacrypt 2000 Proceedings, Lecture Notes in Computer Science Vol. 1976, Springer-Verlag, 2000. http://cseweb.ucsd.edu/~mihir/papers/oem.pdf
The text was updated successfully, but these errors were encountered: