On Jun 10, 2014, at 6:01 PM, Hugo Krawczyk
<hugo(_at_)ee(_dot_)technion(_dot_)ac(_dot_)il> wrote:
The technical results in my 2001 paper are correct but the conclusion
regarding SSL/TLS is wrong. I assumed that TLS was using fresh IVs and that
the MAC was computed on the encoded plaintext, i.e. Encode-Mac-Encrypt while
TLS is doing Mac-Encode-Encrypt which is exactly what my theoretical example
shows is insecure. The later padding attacks showed that the theoretical
example of insecurity had a very practical instantiation in TLS. While the
paper shows correctly that MAC-then-Encrypt can be secure with both CBC and
stream ciphers, it also shows that it requires a LOT of care about encoding -
it turned out that TLS/SSL was not doing that. So if you want to keep
Mac-then-Encrypt then you must change the encoding as well as how you apply
the MAC. Changing to Encrypt-then-MAC is a much safer solution.
Hugo
Thanks
Yoav