[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tagging attacks and forward-message/reply-message distinction


[following up to my own post]

In my excitement I overlooked two typos:

> 2.b.  We can implement 1.a. for reply-message headers and 1.b. for reply-message 
> payload by having the original sender include MACs, only for headers, in the 
> reply block, and having the payload be {en,de}crypted at every hop and never 
> visible as decrypted plaintext except to the original sender.  (This means that 
> the padding has to be appended to the headers instead of the payload so that the 
> node can MAC over the headers without knowing how many layers are left to be 
> processed.  It also means that the padding has to be deterministically generated 
> from a secret know to the original sender and to the generating node but not to 
                ^^^^-- "known"
> anyone else.)

...

> Now for every part of the message we have one or other the guarantee: either it 
                                            ^^^^^^^^^^^^^^^^-- "one or the other"
> comes with a MAC and it gets verified at every hop, or it gets re-encrypted at 
> every hop and nobody ever sees the resulting decrypted plaintext except for the 
> original sender.