Ben Laurie <ben(_at_)links(_dot_)org> writes:
Jon Callas wrote:
(Let me put on my hash-designer's hat for a moment. In Skein, we
created a one-pass MAC construction that can replace HMAC. It also has
a proof of security.
I wish people would stop saying that things have "a proof of security". Rot13
has a proof of security, but I don't want to use it. You need to state what
security properties you have proved.
On the subject of provable security, I've just been reading a paper that
provides a rigorous proof that a particular security mechanism is secure
(under appropriate assumptions regarding the cryptographic functions used).
Unfortunately this is a mechanism that's a slight variant of "click-OK-to-
continue", which means that it's close to worthless in practice (this result
both anecdotally and from a number of HCI papers that have evaluated it). So
this would be a prime example of a rigorous provably-secure crypto mechanism
that thirty seconds of googling or a beer's worth of analysis would show
doesn't actually work.
(I haven't mentioned the paper name because I'm not trying to attack the
author, just using it as a nice example of a provably secure but practically
insecure mechanism, I can provide details in private email if anyone really
wants to know).
Peter.