[tahoe-dev] protecting against bugs in our own crypto code

Ben Laurie ben at links.org
Wed May 7 02:58:41 PDT 2008


zooko wrote:
> On May 6, 2008, at 2:01 PM, Brian Warner wrote:
> 
>>> Fortunately, we can have both integrity-check on the plaintext, and
>>> immunity to the question of such attacks by using a MAC instead of a
>>> secure hash, where the MAC key is (derived from) the encryption key.
>>> As a bonus, we can get reduced CPU usage and smaller Capability
>>> Extension Blocks compared to a secure hash of the plaintext by using
>>> the modern Carter-Wegman MAC such as Poly1305-AES or VMAC-AES-128.
>> Two other alternatives we might consider:
>>
>>  encrypt the plaintext hash(es)
> 
> Why would this be better than a MAC?
> 
> A fair answer would be "Because we understand secure hashes and  
> encryption better than we understand MACs, and other people do, too.".

Heh, but what we understand is that secure hashes are weaker than HMACs 
derived from them :-)

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff


More information about the tahoe-dev mailing list