Welcome to the resource topic for 2001/045
Title:
The order of encryption and authentication for protecting communications (Or: how secure is SSL?)
Authors: Hugo Krawczyk
Abstract:We study the question of how to generically compose {\em symmetric}
encryption and authentication when building ``secure channels’’ for
the protection of communications over insecure networks.
We show that any secure channels protocol designed to work with any combination
of secure encryption (against chosen plaintext attacks) and secure MAC
must use the encrypt-then-authenticate method.
We demonstrate this by showing that the other common methods
of composing encryption and authentication, including the
authenticate-then-encrypt method used in SSL, are not generically secure.
We show an example of an encryption function
that provides (Shannon’s) perfect secrecy but when combined with
any MAC function under the authenticate-then-encrypt method
yields a totally insecure protocol (for example, finding passwords
or credit card numbers transmitted under the protection of such protocol
becomes an easy task for an active attacker).
The same applies to the encrypt-and-authenticate method used in SSH.
On the positive side we show that the authenticate-then-encrypt method
is secure if the encryption method in use is either CBC mode (with
an underlying secure block cipher) or a stream cipher (that xor the
data with a random or pseudorandom pad).
Thus, while we show the generic security of SSL to be broken,
the current standard implementations of the protocol that use
the above modes of encryption are safe.
ePrint: https://eprint.iacr.org/2001/045
See all topics related to this paper.
Feel free to post resources that are related to this paper below.
Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.
For more information, see the rules for Resource Topics .