[rqs]

I implemented a protocol that uses MtE on a CFB mode cipher. And that's why I asked that question.

Now, it seems like I may did it horribly wrong, I'm going to fix it right now.

Thank you!

EDIT:

After I read an answer[0] on StackExchange, I realized I maybe did it right (Because of the CFB mode is different than CBC). Looks like I need to learn a whole lot more before start that fixing.

Next time I'll just use GCM and save all these troubles.

[0] https://crypto.stackexchange.com/questions/42369/is-this-sym...

[nialo]

In the spirit of learning about these things, you might want to try these: https://cryptopals.com/

In particular, problem number 17 from set 3 is an attack against CBC mode AES used with Mac-the-Encrypt. Maybe a fun exercise would be to first implement that attack against CBC mode, and then try to see if you can make it work against your CFB-HMAC protocol.

[zaarn]

MtE isn't the worst choice, I've seen way worse.

The best I can recommend is to take NaCl and then just using secret box. That picks the good defaults for you. Anything after that needs some research as even seemingly harmless naive implementations can ruin the entire cryptography of a program.

[tptacek]

I don't know what "not the worst choice" means in this context. MtE compositions are generally vulnerable. Are there more flagrant ways to be vulnerable? Sure, I guess?