Re: authenticated encryption

Presently, if you want integrity, then a signature is required, which 
defeats the attack that is described.  I would be interested in looking 
into the use of CCM, EAX, CWC, or any other authenticated encryption mode 
AFTER the update to RFC 2633 is published.  I would not like to delay 
publication of the update while this is investigated.
Russ
Security Area Director

At 05:01 PM 5/5/2003 -0700, Trevor Perrin wrote:


> Hello S/MIME,
>
> I'm curious what this group thinks about adopting an 
> authenticated-encryption cipher mode, such as:
> EAX: 
> https://www1.ietf.org/mail-archive/working-groups/cfrg/current/msg00223.html
> CWC: 
> https://www1.ietf.org/mail-archive/working-groups/cfrg/current/msg00224.html
> Such a mode could integrity-protect S/MIME encrypted-only messages.  It 
> could also defend against an oracle attack on signed-then-CBC-encrypted 
> messages.  I'm not sure this attack is well known, so I'll describe it:
> If the plaintext is a sequence of blocks P[1],P[2],.., and the ciphertext 
> is a sequence of blocks where C[0] is the IV, followed by C[1],C[2],.., 
> then we assume the attacker wants to verify a guess G for P[X], and knows 
> the value of P[1] (the first blocksize bytes of the ContentInfo containing 
> SignedData, which is just well-known ASN.1 header).
> The attacker copies C[X] over C[1], and sets C[0] = G xor C[X-1] xor 
> P[1].  If his guess is correct, then the new ciphertext C[1] will decrypt 
> to the same plaintext P[1] it would have without his modifications - if 
> his guess if wrong, the decrypted P[1] will have bit errors, which will 
> probably cause an error in the recipient's software.
> If the recipient is a person, she might respond saying "I can't read 
> this".  If the recipient is a server (like an S/MIME MTA), it might 
> respond with an error message, allowing the attack to be iterated.
> Might solving these issues in one swoop be a good rationale for 
> authenticated encryption?
> Trevor