Join Log in
Score:6
Felipe Rodriguez Fonte avatar Crypto

Does the order of validations and MAC with clear text matter?

in flag
Felipe Rodriguez Fonte

I have a request in which I get a series of data in clear (nothing encrypted) and a MAC / authentication tag.

The question is whether the MAC should be validated first or if the fields are filled in or are numerical (or similar validations). I have always considered that the MAC must be validated first, however, I can think of no arguments for the case where the text is in clear, for the cipher for the oracle attack the need is obvious.

I have consulted two experts and they have two opposing ideas.

What do you think?

816
1 + 0
Score:17
Maarten Bodewes avatar Crypto
in flag
Maarten Bodewes

I'd always first verify the MAC.

It makes more sense protocol-wise, as you are just left with the plaintext values after performing the cryptographic operations. Maybe you want to use a container format or add (authenticated) encryption later.

More importantly though is that you protect your code against logical errors. If an attacker can change values then they can try to find overflows, decoder errors, serialization issues - any flaw that is in the (validation) code.

Basically you are drastically decreasing the attack surface. Now you just have to make sure that your MAC verification and any code before that is secure. Otherwise all your validation code should be correct. For a layered defense you'd really want to test the validation code as well, but in this order an attacker would first have to break or go around the MAC before it can alter the input.

Don't forget to make the comparison of the authentication tag to be constant time, and make sure that you minimize and authenticate any configuration options of the verification itself.

+ 3
Maarten Bodewes avatar
in flag
Maarten Bodewes
You are very welcome. I'm very interested in the arguments of the expert with the opposing view though. If you have those I'd really like to have them in a comment. I'd be surprised if it would alter my opinion, but a good argument is a good argument, and currently I don't have any.
1
Reply
Felipe Rodriguez Fonte avatar
in flag
Felipe Rodriguez Fonte
Of course. The one who said it wasn't necessary argued that for the kind of validations he would perhaps check the one with the least computational cost. If it costs the least to validate the field, he would do that and if it is correct the mac. Whereas the one who said that it was always necessary to validate it, he didn't give me a reason, just that. Thanks Maarten
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
OK, computational costs can indeed be a factor, e.g. when it comes to DDoS attacks, and fail fast is a good principle. However, I'd rather stick with the *known* cost of verifying the MAC. MAC verification should be rather fast on modern systems. You could additionally protect that with some maximum total message size, and of course make sure you use the processors capabilities instead of relying on a slow software implementation. Besides all that that the attacker may tweak his attack so that most successful validations take time *and* the MAC verification still takes place.
3
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.