[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <4E229731-16C6-4446-B43D-F7684BBEADF2@taplink.co>
Date: Sat, 15 Aug 2015 11:23:11 -0400
From: Jeremy Spilman <jeremy@...link.co>
To: "discussions@...sword-hashing.net" <discussions@...sword-hashing.net>
Subject: Re: [PHC] Passwords15 BSidesLV talks
A question I wanted to ask at the talk but didn't get the chance...
I guess with Encrypt-then-MAC an attacker can still just check the MAC but that would involve;
a) calculating the MAC key, which is typically chained off the encryption key possibly with additional work factor
b) streaming the entire cipher text through the hash function
Whether this is faster than skipping the MAC key derivation and hash step and going straight to decrypting the entire ciphertext and applying the ANT I guess could vary. But in any case it's a better lower bound than decrypting just one block.
Is that right?
> On Aug 14, 2015, at 2:40 PM, Jeffrey Goldberg <jeffrey@...dmark.org> wrote:
>
>> On 2015-08-13, at 4:49 PM, Greg Zaverucha <gregz@...rosoft.com> wrote:
>>
>> Thanks Alexander!
>> For folks on this list who are interested and familiar with crypto, it may be faster to look at my tech report explaining the idea
>> http://research.microsoft.com/apps/pubs/default.aspx?id=252097
>
> Thanks.
>
> As I said then. This is one of those really cool ideas that makes perfect sense once someone actually points it out. I’ve always been bothered by the fact that an attacker may just need to decrypt a single block or check a MAC while the defender needs to decrypt the whole thing, but I never really thought about doing anything about it. So thanks again.
>
> Cheers,
>
> -j
Powered by blists - more mailing lists