[tahoe-dev] protecting against bugs in our own crypto code
Ben Laurie
ben at links.org
Wed May 7 09:58:41 UTC 2008
zooko wrote:
> On May 6, 2008, at 2:01 PM, Brian Warner wrote:
>
>>> Fortunately, we can have both integrity-check on the plaintext, and
>>> immunity to the question of such attacks by using a MAC instead of a
>>> secure hash, where the MAC key is (derived from) the encryption key.
>>> As a bonus, we can get reduced CPU usage and smaller Capability
>>> Extension Blocks compared to a secure hash of the plaintext by using
>>> the modern Carter-Wegman MAC such as Poly1305-AES or VMAC-AES-128.
>> Two other alternatives we might consider:
>>
>> encrypt the plaintext hash(es)
>
> Why would this be better than a MAC?
>
> A fair answer would be "Because we understand secure hashes and
> encryption better than we understand MACs, and other people do, too.".
Heh, but what we understand is that secure hashes are weaker than HMACs
derived from them :-)
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
More information about the tahoe-dev
mailing list