Generally, why we need the secrecy of Hash value? Mostly, the researchers claim that the Encrypt then MAC is more suitable approach to implemented AE. They follows the rules like always compute the MACs on the ciphertext, never on the plaintext and used different keys for Encryption and MAC. Can anyone help me to explain the suitable structure for implementing AE and Which kind of Attacks are possible under which situation?
Encrypt-then-MAC is normally recommended by most researchers,because it makes it easier to prove the security of the encryption part and also avoids any trouble to confidentiality from the MAC..
hi mushtaq,
please see https://www.cs.princeton.edu/courses/archive/fall07/cos433/lec8.pdf
There are issues where you can compose encryption and MAC to get authenticated encryption: Encrypt then MAC is generically correct if the component are secure encryption and secure MAC... Encrypt and MAC are not generically compassable: For example: MAC can leak actual message portions, like X={HMAC(message) concatenated with the first five bytes of the message} is perfectly OK MAC, but if I compose it with good encryption it will always leak the first five bytes of the message and will violate the encryption security (Encrypt then MAC does not suffer from this since whatever MAC leaks it leaks about the cipher text NOT the plaintext).
If MAC is a pseudorandom function actually, then it does not reveal its plaintext and can be composed in an Encrypt and MAC Auth. Encryption scheme, but pseudorandom function is a stronger cryptographic property than simple MAC property.
- Badges
- Science topic
- Similar topics
- Political Science
- International History and Politics
- Globalization