Re: Albrecht/Paterson/Watson's attack

To: anakin%pobox.com@localhost, pgut001%cs.auckland.ac.nz@localhost
Subject: Re: Albrecht/Paterson/Watson's attack
From: Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>
Date: Sat, 10 May 2014 22:06:09 +1200

Simon Tatham <anakin%pobox.com@localhost> writes:

>The MAC would apply to the ciphertext, and the length would be the full
>length of the ciphertext (or perhaps ciphertext+MAC) in clear.

That's what I'd like to see too.  My code, and presumably everyone else's as
well, currently contains a large pile of ad-hockery to kludge around all the
different side-channel attacks you have to worry about with the current way
packet data is handled.  Being able to do:

  read length;
  read that many bytes;
  run MAC and accept/reject;

would cut out all of this.  The only thing you need to worry about is not
using memcmp() for the MAC check.

Peter.

References:
- Re: Albrecht/Paterson/Watson's attack
  - From: Simon Tatham

Prev by Date: Re: Albrecht/Paterson/Watson's attack
Next by Date: Re: Albrecht/Paterson/Watson's attack
Previous by Thread: Re: Albrecht/Paterson/Watson's attack
Next by Thread: Re: Albrecht/Paterson/Watson's attack
Indexes:

Home | Main Index | Thread Index | Old Index