Profile picture
Stephan Neuhaus @stephanneuhaus1
, 19 tweets, 3 min read Read on Twitter
Thread: I have just been in a discussion with @hanno and others, and think I should set out my thoughts about CBC, authenticated encryption, and signatures. 1/n
First, if you always check your HMACs, auth tags, signatures for correctness and that they are the ones you expect, then you can use either Encrypt-then-MAC, AEAD, or signatures and they will do what you need 2/n
The main difference will probably be speed, but from a purely authentication point of view, *if you do all the required checks*, there is no difference between Encrypt-then-MAC, AEAD, and signatures. 3/n
For example, it is claimed that MACs or AEADs are better than signatures because an attacker can sign a modified plaintext, something that's not possible with MACs or AEADs since they use the same key, so the auth tag check will fail. 4/n
That's true, but irrelevant. In the model above, everyone always does all the required checks. For signatures, that would be (a) validity of signature, (b) correctness of public key being used. For HMACs, that's (a) validity of HMAC, (b) authenticity of key. 5/n
So you have to do two checks either way and leaving any check out leaves you vulnerable to attacks. Now the next problem is: how easy is it to get any of this wrong? IMHO, way too easy, for any authentication scheme. 6/n
For example, remember Efail? In some circumstances, the encryption program said at the end of the decryption process that the ciphertext could not be authenticated, but the mail program had already acted on the deciphered plaintext and displayed that. 7/n
This is precisely what you get with AEAD: the auth tag is only computed at the end. But in the meantime, there is all this juicy plaintext lying around, and the temptation to use it will certainly be too much for some programmers. 8/n
As you may have noticed, none of the above has mentioned CBC, and for good reason: when it comes to authentication, CBC is a complete red herring, since CBC is for confidentiality, not authentication. The problem is not CBC, but not using authentication. 9/n
Now let's take a look at AEAD, since some people believe that it should preferentially be used over, e.g., signatures. Again, if implemented correctly, AEAD gives the same security guarantees as, e.g., CBC+HMAC, but is likely to be much faster. 10/n
But how easy is it to get anything wrong? With CBC, the classic problem is re-use of the IV. In CBC, this leads to identical plaintext prefixes being encrypted to identical ciphertexts. That's pretty bad. What happens when IV-equivalent material is reused in AEAD? 11/n
The most popular version of AEAD is GCM. That is a stream cipher. When you reuse key + IV in a stream cipher, you regenerate and hence reuse the key stream. Now let's compare CBC and GCM with respect to this reuse, shall we? 12/n
In CBC, you can see that two messages have the same prefix. If you have cribs, you may even be able to guess what these prefixes are. In GCM, you completely lose the protection from the keystream, since the XOR of the ciphertexts gives you the XOR of the plaintexts. 13/n
In other words, if GCM fails in the same way that CBC can fail through reuse of IV-equivalent material, it is as if no encryption at all had happened. In this way, GCM is much more brittle than CBC. 14/n
So, to summarise. 1. If done correctly, AEAD, Encrypt-then-MAC, and signatures give the same security guarantees w.r.t. authenticity. This always includes two checks: whether the authenticator is itself correct, and whether it comes from an expected source. 15/n
2. Additionally, all procedures require you to discard unauthenticated messages. If unauthenticated ciphertext is being acted upon, efail-like attacks are possible, no matter what authentication mechanism is being used. 16/n
3. Both CBC and GCM are vulnerable to IV-equivalent material being reused. In CBC, such reuse leads to identical plaintext prefixes being encrypted to identical ciphertext. In GCM it leads to complete loss of protection through encryption. 17/n
I have glossed over many details here. For example, I have said that, from an authentication perspective, AEAD, Encrypt-then-MAC, and signatures were "equivalent". Of course they are different, and have different properties in different situations. 18/n
For example, some may be useful for data-at-rest and others not. But my point is that you could, if you wanted, replace, e.g., AEAD with signatures, and get the same authentication properties even though from a practical perspective that would make little sense. 19/19 /ends
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Stephan Neuhaus
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related threads

Profile picture
I want to talk about the editorial support you should expect from an agent who says they work editorially, &what you should not expect, too. (As always these are my opinions; others will think differently; you can take any opinion you encounter or burn it in a trash can.) #Thread
Most agent offer calls come with a discussion about editorial support and expectations on both sides. If an agent says they work editorially, both of you can talk about what you hope this will look like. This may include:
Rounds of overall revision to plot/character/structure/setting, or tightening to a genre guideline, based on an "edit letter."
Line edits/sidebar comments by your agent. I always stress these are suggestions to achieve a goal. How author arrives at that goal is up to to them, but
Read 17 tweets
Profile picture
#Thread: Our chair Omingo Magara articulated The Centre for Multiparty Democracy's memorandum to the Building Bridges to Unity Advisory Taskforce consultative meeting with stakeholders held today at the Kenyatta International Convention Centre. #BuildingBridges
The Building Bridges to a New Kenyan Nation is premised on the fact that Kenya has made progress towards consolidating its democratic landscape, but much remains to be done in addressing underlying challenges that threaten political, social and economic standing of the country.
Our democratization process and stability have been characterized by challenges that are well outlined in the Joint Communique of March 9th 2018 by H.E. the President Uhuru Kenyatta and the former Prime Minister Rt. Hon. Raila Odinga.
#BuildingBridges
Read 51 tweets
Profile picture
Suite aux récentes prises de tête avec @X345__ réagissant à un tweet de @mixlamalice je vais donner mon avis totalement subjectif sur le docteur et ce qui le différencie de l'ingénieur.

#Thread
Tout d'abord, déclaration de conflit d'intérêts.

Je suis ingénieur chimiste, passé par une classe prépa.
Et docteur en chimie d'une Université du sud de la France.

Et je bosse en Suisse chez @JeSuisBigPharma
La discussion est partie d'un tweet de @mixlamalice qui reproche à des docteurs de se prétendre enseignant-chercheurs ou chefs de projets dans leur CV.

Ce à quoi @X345__ rétorque que le doctorat n'étant pas valorisé comme diplôme il faut bien le vendredi comme expérience pro.
Read 24 tweets
Profile picture
How To Create (or Find) A Hot Product or Service and Make Millions Selling It

#Thread.
You want to make money with your proposed business?

Before you even think of an idea, there are things you must be mindful of.

1. Choose an industry or sector that you will enjoy, genuinely want to help in or wouldn't mind working in.
In order words, choose an industry that wouldn't make you want to put a gun in your mouth and blow your brains out.

An industry is just a collection of different pockets (markets) of people.
I was privileged to know the late Mr. Isaac Durojaiye, founder of DMT Mobile Toilets.
Read 29 tweets
Profile picture
Here is the comparison between two countries popular among the Nigeria students: Canada vs Germany 󾓨. This #thread will help you choose your study destination on cost of living, visa and work opportunities.

Retweet someone your TL will need this. See blog.trippaddystudy.com
1. Popular courses:

GERMANY: Computer science, Chemical, Civil, Electrical, Mechanical engineering, Physics & Life science.

CANADA: Business management, Media, Nursing, Engineering, Computer science and Hospitality.
2. Eligibility/Requirements: For undergrad, you need to have completed 12 years of schooling to get admission. Take SAT exam. Duration of degree course is 4 yrs and that of a diploma is 2 to 3 yrs.

In postgraduate courses, getting admission in vocational courses is easier as...
Read 22 tweets
Profile picture
Fuel saving tips:
1. Your a/c doesnt eat your fuel (highly debated topic).. when you wind down at a top speed, the car has to accelerate more to cover the speed you want, compared to when the glass is wound up (more acceleration, more fuel consumption)
#Thread
2. Lighten the load of your car, the more the load, the more the car would need to accelerate, the more fuel is consumed... remove anything you dont need, if you want to save fuel
3.Always check that your tyres are properly inflated, if the pressure of the tyre(s) is/are below the recommended level, your vehicle would consume more fuel
Read 6 tweets

Trending hashtags

#Rajinikanth #TGV #ZeEnd #AccidentsWillHappen #HappyNewYear2019 #WeshallOvercome #HinduRenaissance #TrumpIsUnfit #Wikipedia #MSDyn365CE #Aragorner #ConnectedFieldService #emosión #Allemagne #Twitter #MindChallenge #CommonDataModel #BRK #correction #MachineLearning #Sabarimala #Hinduism #threadstorytime #NigeriaDecides2019 #EgyptStation

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!