Implementing-cryptography-using-python
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Chapter 7 ■ Message Integrity 211
First, when you send the same message many times, any potential eavesdropper
has the advantage. Additionally, the MAC is not designed for
secrecy; there is no assurance that the upper byte of t isn’t identical to the
first byte of M.
Authenticate Then Decrypt In this world you compute t = MAC(M) then
c = ENC(M||t). Your receiver computes M||t = DEC(c), then checks that
t == VRFY(M). This next model is a bit stronger, but there is a bit of debate
on the authenticate-then-decrypt model. Johnathan Katz recommends
against this model while Bruce Schneier recommends it. Katz enjoys proofs
of security and would recommend the next method.
Encrypt Then Authenticate This is the recommended approach. First,
c = ENC k (M), then t = MAC k2 (c) and send (c,t). On the other side, verify
t == VRFY k2 (c) and if that computes, calculate M = DEC k . If the MAC
is cryptographically secure, then we are CCA-secure and unforgeable,
provided the keys are random and independent.
Communication Channels
There are additional attacks that the security practitioner should be aware of,
but they tend to border more on the network security side than cryptography
best practices. In general, you should always encrypt the entire message. Ideally,
you need to set up a channel for encrypted and authenticated messages between
the two parties despite any malicious middlemen. Your crypto system cannot
mitigate threats that are related to someone else controlling the network between
the communicating parties. These attacks include the replay attack, the
reordering attack, and the reflection attack.
■■
Replay attack: Occurs when a middleman captures the encrypted message
and then has the ability to send it at a later time.
■■
Reordering attack: Occurs when an adversary takes encrypted messages
and sends them out of order.
■■
Reflection attack: Occurs when a message is sent back to the sender and
not passed along to the recipient.
None of these attacks would lead to a failure, and the messages would be
decrypted correctly. To fight against reflection and replay attacks, you should
include more than just the message in your MACs. In this case, you solve these
problems by including some extra data with the encrypted messages, a message
counter, and a direction bit (0 for A to B and 1 for B to A). Then both parties
can maintain state and reject messages that don’t match up. Our next goal is to
explore opening up a socket using Python in order to deliver a message that
cannot be successfully read from an unauthorized user. This will be the basis
of exploring secured sockets after we examine certificates in the next chapter.