[25597] in cryptography@c2.net mail archive
Re: picking a hash function to be encrypted
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Sun May 14 20:24:42 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: "Travis H." <solinym@gmail.com>
Cc: Cryptography <cryptography@metzdowd.com>
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 14 May 2006 16:36:10 -0700
In-Reply-To: <d4f1333a0605140104g5965cc38w6e0df1401c726b5b@mail.gmail.com> (Travis
H.'s message of "Sun, 14 May 2006 03:04:41 -0500")
"Travis H." <solinym@gmail.com> writes:
> So...
>
> Suppose I want a function to provide integrity and authentication, and
> that is to be combined with a stream cipher (as is the plaintext). I
> believe that authentication is free once I have integrity given the
> fact that the hash value is superencrypted using the stream cipher,
> whose key is shared by only the sender and recipient.
It's not safe to use a hash function this way if the content is known
to the attacker.
Consider the case where you're transmitting message M. The
hash is H(M). You then encrypt (M || H(M)), generating
K XOR (M || H(M)). If the attacker knows M and H, he can
compute (M || H(M)) and compute K. Then he can re-encrypt
a message M' of his choice.
If you want integrity with a stream cipher you'd really
be much better off using a MAC.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
