*** Markus Teich [2018-03-10 21:29]:
>You are correct that it doesn't hurt to add a MAC. I was thinking it wouldn't
>make sense to authenticate to myself. Could you point me to an attack
>scenario
>where not having a MAC in this scheme is bad?
Actually I can not. Well, those data could be forged by an adversary,
because it is either lying on the disk, or shared via some remote host
through the network. If you decrypt that altered data (without
authentication), then you will get some garbage, that presumably is
entered directly to the form or some kind of X11-buffer for example. It
just would be nice to return bad exit code if integrity of deciphered
text is bad, not to process deciphered garbage.
I agree that adding MAC would not hurt. It is cheaper to add it, than
trying to think out of possible attacks. Moreover some libraries (for
example
https://godoc.org/golang.org/x/crypto/chacha20poly1305) simply
does not allow to create unauthenticated ciphertext at all, for the good
reason.
--
Sergey Matveev (http://www.stargrave.org/)
OpenPGP: CF60 E89A 5923 1E76 E263 6422 AE1A 8109 E498 57EF
Received on Sat Mar 10 2018 - 19:41:33 CET