At 11:18 AM -0800 3/28/01, hal(_at_)finney(_dot_)org wrote:
A thread on sci.crypt recently pointed to an AsiaCrypt 2000 paper by Mihir
Bellare, http://www-cse.ucsd.edu/users/mihir/papers/oem.html. This is
a theoretical analysis showing that based on very minimal assumptions
of the properties of MAC and encryption algorithms, the strongest mode
is to encrypt and then MAC. That is, you compute a keyed MAC on the
ciphertext in order to detect modification.
In our case we might just compute an HMAC over the entire secret key
packet, and append it.
I must admit that when coding for the real world, I always liked checking
the MAC as late as possible. That lets the MAC check as much of the
process as possible for errors. (If you compute the MAC before encryption
and check it after decryption, the MAC checks the encryption-decryption
process. In real life, I have found a timing dependant error using this
check.)
In the specific case of secret keys, the arithmetic consistency checks may
result in the same degree of assurance as a MAC, so applying the MAC after
encryption and checking it before decryption may be the right answer.
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | Microsoft Outlook, the | Periwinkle -- Consulting
(408)356-8506 | hacker's path to your | 16345 Englewood Ave.
frantz(_at_)netcom(_dot_)com | hard disk. | Los Gatos, CA
95032, USA