Paper 2001/045

The order of encryption and authentication for protecting communications (Or: how secure is SSL?)

Hugo Krawczyk

Abstract

We study the question of how to generically compose {\em symmetric} encryption and authentication when building ``secure channels'' for the protection of communications over insecure networks. We show that any secure channels protocol designed to work with any combination of secure encryption (against chosen plaintext attacks) and secure MAC must use the encrypt-then-authenticate method. We demonstrate this by showing that the other common methods of composing encryption and authentication, including the authenticate-then-encrypt method used in SSL, are not generically secure. We show an example of an encryption function that provides (Shannon's) perfect secrecy but when combined with any MAC function under the authenticate-then-encrypt method yields a totally insecure protocol (for example, finding passwords or credit card numbers transmitted under the protection of such protocol becomes an easy task for an active attacker). The same applies to the encrypt-and-authenticate method used in SSH. On the positive side we show that the authenticate-then-encrypt method is secure if the encryption method in use is either CBC mode (with an underlying secure block cipher) or a stream cipher (that xor the data with a random or pseudorandom pad). Thus, while we show the generic security of SSL to be broken, the current standard implementations of the protocol that use the above modes of encryption are safe.

Metadata
Available format(s)
PS
Publication info
Published elsewhere. An abridged version will appear in the proceedings of CRYPTO'2001
Keywords
Secure channelssymmetric encryptionauthenticationMAC
Contact author(s)
hugo @ ee technion ac il
History
2001-06-06: received
Short URL
https://ia.cr/2001/045
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2001/045,
      author = {Hugo Krawczyk},
      title = {The order of encryption and authentication for protecting communications (Or: how secure is SSL?)},
      howpublished = {Cryptology ePrint Archive, Paper 2001/045},
      year = {2001},
      note = {\url{https://eprint.iacr.org/2001/045}},
      url = {https://eprint.iacr.org/2001/045}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.