azet
commented
9 years ago Thanks, was about to open a similar issue when I noticed this one. As far as I can tell from the sourcecode MAC-then-encrypt is used: https://github.com/moxie0/knockknock/blob/master/knockknock/CryptoEngine.py#L49-52
This could easily be changed to an ETM scheme, is @moxie0 accepting pull requests for that?
As a further reference, a current IETF draft on ETM for TLS by Peter Gutmann: https://tools.ietf.org/html/draft-ietf-tls-encrypt-then-mac
copumpkin
The README specifies IND-CCA as a requirement and states that the implementation uses "authenticate-then-encrypt" to obtain authenticated encryption. Indeed, the code in CryptoEngine.encrypt() computes an HMAC, concatenates it with the plaintext, and encrypts the result. The problem is, MAC-then-encrypt is not IND-CCA secure. To achieve IND-CCA, encrypt-then-MAC should be used. See [1] for details. Figure 2 gives a nice summary of their results.
[1] M. Bellare and C. Namprempre. Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm. Advances in Cryptology - Asiacrypt 2000 Proceedings, Lecture Notes in Computer Science Vol. 1976, Springer-Verlag, 2000. http://cseweb.ucsd.edu/~mihir/papers/oem.pdf