[tahoe-dev] how to encrypt and integrity-check with only one value [correction]
David-Sarah Hopwood
david-sarah at jacaranda.org
Sun Sep 6 18:18:35 UTC 2009
David-Sarah Hopwood wrote:
> - If the encryption used to produce k_enc is not an authenticated
> encryption scheme, then an attacker can potentially modify k_enc,
> and now an incorrect key k will be used for the decryption
> (possibly one that is related to the correct key). This means
> that an incorrect plaintext will be produced and accepted,
> assuming that the main encryption algorithm is also not
> authenticated. The check that r = H(k, v) will not catch this
> since it only verifies the ciphertext.
Sorry, I'm talking nonsense. The incorrect k *will* be caught by the
check on H(k, v).
OTOH, that depends on there being no interaction between the k_enc
encryption and the hash. So it does seem as though a security proof
may be easier if the k_enc encryption is authenticated.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
More information about the tahoe-dev
mailing list