no error returns when a wrong key/iv is used for decrypting

Nikos Mavrogiannopoulos nmav at gnutls.org
Fri Feb 18 02:24:51 CET 2011


On 02/17/2011 06:28 PM, Werner Koch wrote:
> On Thu, 17 Feb 2011 15:03, nmav at gnutls.org said:
> 
>> decrypted (you have to define wrong). What you want is to add an
>> authentication layer to that. I.e. add an HMAC to your encrypted data.
> 
> Or do a plaintext detection to see whether you got the right key.
> OpenPGP uses such a feature without introducing the HMAC overhead.  The
> advantage of such a detection feature is that you can check the key
> right after decrypting a few blocks and not only after having decrypted
> a few gigs of ciphertext.  Anyway, it is all a matter of the protocol
> and not of the crypto building blocks.

This is ok if a quick verification is required, but if malicious
parties are expected, then this method is dangerous. That is because
it depends on the encryption mode. For example in ECB mode, I can
make the plaintext detection work, but rearrange message in any
way I want. In CTR if the plaintext is known one could modify it
at will, and even modify any hash appended to it without
detection. If malicious parties are considered then an HMAC or
authenticated encryption should be used.

regards,
Nikos



More information about the Gcrypt-devel mailing list