Practical Cryptography Corrected

[bramcohen]

The book 'Practical Cryptography' is perfectly good for giving an overview of basic concepts in cryptography, but its immediate practical advice to implementers is not terribly to the point or accurate. Here is much more to the point and accurate advice.

• For a block cipher you should use AES-128. If you don't understand your protocol well enough

Comments

[cypherpunk95]

You should always do encryption as a layer outside of authentication.

Strongly disagree.

Authenticate-then-encrypt (AtE) is subject to attacks that encrypt-then-authenticate (EtA) is not. How practical those attacks are depend on exactly what you're using for your encryption, but they can occur surprisingly often, and you don't want to have to worry about them.

The most prevalent class of such attack (in my opinion) is when you've got a (possibly public-key) encryption system that isn't reaction resistant. The encryption might be somewhat homomorphic, in that the adversary can modify the ciphertext in such a way as to make it come out to the same plaintext some of the time, and a different plaintext (or \bottom) some of the time. Then the inner authentication will fail, and the adversary will know which happened. Lattice-based crypto often has this problem, as does McElice (see our 1999 paper on this). Other encryption systems may have this or similar problems, as protecting against this isn't generally something that's a design goal of semantically secure encryption. (If your encryption is IND-CCA2, you're safe, but then you've basically got the authentication built in, anyway.)

Authenticating the ciphertext avoids the whole issue.

Of course, it may have its own issues, if you're using signatures (and not MACs) for authentication, and you want, say, to hide the information of who's signing the message. If you have complex requirements like that, though, you might think twice about designing the crypto protocol yourself.

[bramcohen]

RSA in particular has vicious attacks when you do authentication checks the wrong way, but that's really an argument in favor of doing authentication properly rather than changing the order, particularly because checking that high order byte is something a naive implementer might do anyway.

That more complicated stuff you mention really shouldn't be done by people who don't already know these issues well, and my advice is for people who don't really know what they're doing by are trying to do something simple (which still might not be a good idea, but they're better off with good advice than without).