Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
prefer etm MACs #66
Our order of MACS currently is this (on my ubuntu-14.04 system)
https://stribika.github.io/2015/01/04/secure-secure-shell.html by @stribika recommends the following order:
Leaving aside the fact that he includes email@example.com (which we don't), I find it interesting that he prefers the use of Encrypt-then-MAC over longer key lengths. Not being a cryptographer, I'm somewhat cargo-culting this argument, but "Only Encrypt-then-MAC should be used, period" is a strong statement by somebody who obviously is more knowledgable about these matters than I am.
What do you guys think?
My reason for saying that is things tend to go wrong when you use primitives for things they were not designed to do. When using EtM you have a security proof conditional on the security of the cipher and the MAC.
In case of E&M, we are assuming the MAC doesn't leak anything about the plaintext. I think this is true for HMAC, I have no idea about UMAC.
The attack is exploiting the potential timing difference between decryption failure and verification failure. I think this is not a problem if we use CTR ciphers because decryption can't fail. It is possible to implement E&M correctly but it's nearly impossible to screw up EtM.
You have a bunch of "I think"s and that should not be reassuring because I am not a real cryptographer.
We don't know how but we do know that the NSA is breaking SSH. They either found some bug like that or they have a mathematical advantage that reduces the effective security from 128 bits to something breakable. In the first case, EtM is more important, in the second case the security margin from the extra bits can save your data. I suspect the first.