Cryptography Reference
In-Depth Information
informs the recipient which key(s) to use in order to authenticate and decrypt.
In the following discussion we will use the term
message
to refer to the data
requiring confidentiality
and
data origin authentication,
associated data
to refer
to the additional data requiring only data origin authentication, and
full message
to the combination of the message and the associated data.
There are two possible approaches to providing both confidentiality and data
origin authentication. The first is to provide these using separate cryptographic
primitives. The alternative approach is to use a cryptographic primitive that is
explicitly designed to provide both security services.
USING SEPARATE PRIMITIVES
We observed in Section 6.3.1 that, in general, encryption does not provide data
origin authentication. Hence, when both security services are required, the most
obvious solution is to use two separate cryptographic primitives. In a symmetric
setting the most natural way of realising this is to use symmetric encryption and
a MAC. But in which order should these cryptographic primitives be applied?
MAC-then-encrypt
. In this case:
1. the MAC is computed on the full message;
2. the message and the MAC are encrypted (but not the associated data);
3. the ciphertext, the associated data and the MAC are sent to the receiver.
The receiver first decrypts the ciphertext to recover the message and the MAC.
The receiver then assembles the full message and checks the MAC. This order,
which computes the MAC first, is perhaps the most aesthetic solution from a
'purist's' perspective, because it is the message itself that we want data origin
authentication for, not its encrypted form. However, this does not necessarily
mean that it is the most secure solution. Indeed, there are some security
concerns about this approach.
Encrypt-then-MAC
. In this case:
1. the message is encrypted;
2. the MAC is computed on the combination of the ciphertext and the associated
data;
3. the ciphertext, the associated data and the MAC are sent to the receiver.
This might not seem the intuitive order in which to conduct the two
cryptographic operations, but it has a distinct advantage. The receiver will first
have to check the MAC on the ciphertext. If this check fails then the receiver
will reject the received data without any need for decryption, thus saving some
computation. In contrast, in the case of MAC-then-encrypt, the receiver must
perform both operations. Encrypt-then-MAC also benefits from the existence
of a theoretical security proof that suggests that it is a good way of combining
the two operations.
