Security: Authentication vs. Decryption, Cracking, and more

h00ligan
h00ligan
Community Member
in iOS
Warning No formatter is installed for the format ipb

Comments

  • khad
    khad
    1Password Alumni
    edited August 2012
    Warning No formatter is installed for the format ipb
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    edited August 2012
    Warning No formatter is installed for the format ipb
  • h00ligan
    h00ligan
    Community Member
    Warning No formatter is installed for the format ipb
  • h00ligan
    h00ligan
    Community Member
    Warning No formatter is installed for the format ipb
  • khad
    khad
    1Password Alumni
    Warning No formatter is installed for the format ipb
  • jemenake
    jemenake
    Community Member
    Warning No formatter is installed for the format ipb
  • khad
    khad
    1Password Alumni
    Warning No formatter is installed for the format ipb
  • jemenake
    jemenake
    Community Member
    Warning No formatter is installed for the format ipb
  • jemenake
    jemenake
    Community Member
    Warning No formatter is installed for the format ipb
  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Warning No formatter is installed for the format ipb
  • jemenake
    jemenake
    Community Member
    Warning No formatter is installed for the format ipb
  • benfdc
    benfdc
    Community Member
    edited June 2013

    jpgoldberg wrote:

    >

    Encrypt-then-MAC is perfectly secure and easy to build

    According to a commenter here, Encrypt-then-HMAC is anything but easy to build. The details (other than the reference to timing attacks) are generally over my head. If you want to explain some of them, great. However, what I'm mostly looking for is confirmation that AgileBits is cognizant of the pitfalls that are discussed in the literature and has designed its iCloud keychain format, and implemented Encrypt-then-HMAC in 1P4, in a sound manner.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Sorry for not getting back to this earlier. I've been at PasswordsCon and DefCon and just left Las Vegas yesterday.

    You are absolutely correct that that there are some very important things to watch out for in building Encrypt-then-MAC (or "Verify-and-only-then Decrypt" as I prefer to think about it.) Crucially you need to report nothing about how decryption is progressing until the MAC is verified. For large data, it is far more efficient to make one pass over it doing the MAC and decryption, but in doing so we need to be careful that no error conditions from decryption are leaked unless the MAC verifies.

    Indeed, we were sufficiently aware of these problems that we asked some outside experts to look over that portion of the code to make sure that we didn't mess it up. (Because they didn't do a formal review of everything, they don't wish to be named publicly, but it was reassuring to us to have outside experts look at our Encrypt-then-MAC (Verify-then-Decrypt) implementation.

    Ideally, we would prefer to not have to do that at all. But authenticated encryption modes are not routinely available in the crypto libraries we prefer to use.

    Thanks for the great question!

    -j

    –-
    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits
    http://agilebits.com

This discussion has been closed.