Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Attackers get to arbitrarily change the ciphertext, and can watch the recipient carefully to see how it reacts to different altered ciphertexts. With a bad AES implementation, things like timing differences can leak key bits.

That's not much of a problem with CTR mode --- CTR encrypts keystream, and XORs your data, so your data doesn't actually influence AES state much --- but it's a potential problem with CBC-MAC or OMAC, which do feed your data through AES.



Presumably this isn't an issue if you encrypt using AES/CBC then add a MAC to the encrypted data?


The issue is that the fastest MACs use AES themselves, usually with the same key as was used to encrypt. CBC-MAC, OMAC, GCM, Poly1305-AES, all generate a MAC block (128 bytes, which you can truncate to whatever) in part using AES with your encrypting key.

It feels to me like Colin has a legitimate point --- side channel key extraction would be pretty hard if you had to do it from HMAC instead of with AES --- but that the person who actually came up with a side-channel exploit in a real-world OMAC (EAX) system would get famous over it.

The person who breaks your hand-hacked CTR+HMAC code, which will inevitably contain flaws because it will get no real review... that person doesn't get famous. Her win was entirely predictable.


Is a CTR+HMAC code much more tricky to implement than EAX? I'd imagine it's just:

    e := encrypt(x)
    e := e + sep + hmac(e)
And for decryption:

    e, m := split(e, sep)
    if m = hmac(e):
        x := decrypt(e)
The only thing I'd be particularly worried about is timing attacks on `m = hmac(e)`. Am I just being naive?


http://rdist.root.org/2009/05/28/timing-attack-in-google-key...

The issue isn't that EAX is easier to implement than CTR+HMAC. EAX is actually harder to implement than CTR+HMAC.

The issue is that someone will have already written EAX for you, because EAX is a NIST standard that is used in actual fielded systems. There is no NIST standard AE construction (that I know of; I'm not an expert) that combines CTR and HMAC. You'll have to implement it yourself.


Yes, but so far as I can see, the implementation is very straightforward. I wouldn't have thought there'd be much difference in practise.


My "actual citation of a Rivest student coding for Google making the HMAC error" argument has a THAC0 of 5, and your "yes, but" argument has a THAC0 of 15. You might win this debate, but I doubt it.

Colin points out (rightly, in the narrow scope he drew) that Google could have made the same error with CBC-MAC or OMAC; they'd still be comparing bytes directly, not doing the safe XOR comparison.

But Colin is making my point for me. Because if you used EAX or CCM, you wouldn't be implementing that compare for yourself; it'd be taken care for you by the block cipher mode, which would yield either a plaintext or a failure.

Yes, the library designer could make that mistake too; after all, Google did! But again, that's my point. Google making this error was a newsworthy event, and the mere fact Google implemented it caused Nate Lawson to review the code and find it. You have none of those benefits. You're going to make the same error, and nobody's going to find it until it matters that you've not made it.


Okay, but using an encryption library doesn't guarantee your code is free of mistakes either. Just initiating a generic cryptography library requires a certain amount of specialised knowledge. You have to get the right mode, create a secure key, know how to correctly use an IV or whatever additional parameters the particular encryption algorithm needs.

Compared to all that, comparing two HMACs seems relatively straightforward.


> usually with the same key as was used to encrypt

What's the context of "usually" here ?


As in, a design goal of many of the AE modes is to allow the encryption key to be reused.


Examples? Google code search for "AES CCM" or "AES EAX". If you trust Wikipedia, I believe this point is also in the first graf on CCM.


I don't see how having a design goal to allow for a key reuse explains the "usually" part of "fastest MACs use AES themselves, usually with the same key as was used to encrypt". What you listed was the list of MACs that, from my experience, are meant to be used with their own key. That's what I asked about - where did you see them used sharing the key with an encryption cycle ?


You've lost me, huhtenberg. What are you getting at?


The fastest MACs use AES themselves, usually with the same key as was used to encrypt.

I am asking for examples of the above. I don't understand how you arrived at "usually".


I'm not sure if we're splitting hairs or just talking past each other, but can we figure out why it is we care about the world "usually" versus "sometimes" or whatever it is you think is the correct modifier? What's the meta-issue here?


Any concrete examples of the actual reuse of the encryption keys as MAC keys ?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: