[11891] in cryptography@c2.net mail archive
Re: Why is RMAC resistant to birthday attacks?
daemon@ATHENA.MIT.EDU (Wei Dai)
Tue Oct 22 16:20:37 2002
Date: Tue, 22 Oct 2002 15:05:46 -0400
From: Wei Dai <weidai@weidai.com>
To: bear <bear@sonic.net>
Cc: Ed Gerck <egerck@nma.com>, Victor.Duchovni@morganstanley.com,
Cryptography <cryptography@wasabisystems.com>
In-Reply-To: <Pine.LNX.4.40.0210221036010.17888-100000@newbolt.sonic.net>
On Tue, Oct 22, 2002 at 11:09:41AM -0700, bear wrote:
> Now Bob sends Alice 2^32 messages (and Alice's key-management
> software totally doesn't notice that the key has been worn to
> a nub and prompt her to revoke it). Reviewing his files, Bob
> finds that he has a January 21 document and a September 30
> document which have the same MAC.
>
> What does Bob do now? How does this get Bob the ability to
> create something Alice didn't sign, but which has a valid MAC
> from Alice's key?
Call the Jan 21 document x, and the Sept 30 document y. Now Bob knows
MAC_Alice(x | z) = MAC_Alice(y | z) for all z, because the internal states
of the MAC after processing x and y are the same and therefore will remain
equal given identical suffixes. So he can get a MAC on x | z and
it's also a valid MAC for y | z, which Alice didn't sign. This applies
for CBC-MAC, DMAC, HMAC, and any another MAC that is not randomized or
maintains state (for example a counter) from message to message.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
