Normally, it is necessary to use authenticated encryption if the message may be tampered with. Can the authentecation be omitted if the message has been otherwise authenticated?
Asked
Active
Viewed 481 times
2 Answers
2
Yes, message authentication can be omitted when using an appropriate digital signature on the ciphertext.
A digital signature hashes the message, then encrypts the hash with a nonce and asymmetric key, which makes the security similar to HMAC.
The reason authenticated encryption is preferred is that it is generally less computationally expensive than a digital signature, and easier to build a MAC construct that is side channel resistant.
Richie Frame
- 13,278
- 1
- 26
- 42
1
If you follow the advice to sign-then-encrypt rather than encrypt-then-sign, you should probably use authenticated encryption. Otherwise you are going to be decrypting unauthenticated ciphertext, which with certain ciphers can be dangerous.
For example, with CBC-mode encryption, decrypting unauthenticated ciphertext can allow a padding-oracle attack. If you have a stream cipher, or other malleable cipher, an attacker could be able to change it to some earlier (signed) message, which may violate protocol assumptions like that different nonces mean different messages.
If you are going to sign the ciphertext, then that will indeed take care of authentication as Richie Frame states.
