Re: Authenticated cipher modes

To: Simon Tatham <anakin%pobox.com@localhost>
Subject: Re: Authenticated cipher modes
From: nisse%lysator.liu.se@localhost (Niels Möller)
Date: 19 Apr 2005 08:33:55 +0200

Simon Tatham <anakin%pobox.com@localhost> writes:

> Bill Sommerfeld  <sommerfeld%sun.com@localhost> wrote:
> > how about listing the combined mode cipher in both the "cipher" and the
> > "mac" lists?  that avoids the unambiguity problem -- if you know what it
> > is, you'll know to accept it on an all-or-none basis; if you don't know
> > what it is, you'll reject both instances of it.
> 
> I think the problem is that this is inconsistent with the algorithm
> mandated by the transport protocol for choosing ciphers and MACs:

> `if the normal cipher and MAC selection selects Helix as only one of
> or MAC for a particular direction, then Helix must be used as both
> cipher and MAC for that direction, superseding whatever the normal
> selection algorithm chose for the other slot'

I think one could define the procedure as follows:

  If helix is selected as the cipher to use by the ordinary selection
  mechanism, *and helix is present* on both parties' lists of
  authentication methods, then helix must be used for authentication,
  bypassing the usual selection rules for the authentication method.

In effect, it says that implementations supporting helix should do the
cipher selection before the authentication selection.

This doesn't conflict too badly with current procedures. However, it
still shouldn't be done lightly, because it *will* conflict when
somebody proposes the analogous change with a reverse dependency

  If foo is selected as the authentication method, and foo is present
  on the cipher list of both parties, then foo must be used also for
  encryption.

An alternative of a slightly different flavour, but which still
introduces a dependency between cipher selection and authentication
selection, is the following rule:

  If all occurances of helix on the authentication lists must be
  ignored unless helix is also used for the cipher for the
  corresponding data stream.

Both these alternatives make it possible to use helix + a different
mac.

Regards,
/Niels

References:
- Re: Authenticated cipher modes
  - From: Simon Tatham

Prev by Date: Re: Copy-edit comments on filexfer-08
Next by Date: RE: Authenticated cipher modes
Previous by Thread: Re: Authenticated cipher modes
Next by Thread: Re: Authenticated cipher modes
Indexes:

Home | Main Index | Thread Index | Old Index