Question on proper MAC usage; or, How does the Horton Principle apply to key-definition records?
From: John M. Dlugosz (john_at_dlugosz.com)
Date: 09/08/03
- Next message: Steven: "Re: Guarantee of finding a prime in a fixed interval?"
- Previous message: Anton Stiglic: "Guarantee of finding a prime in a fixed interval?"
- Next in thread: ScottD: "Re: Question on proper MAC usage; or, How does the Horton Principle apply to key-definition records? (are my posts showing up)"
- Reply: ScottD: "Re: Question on proper MAC usage; or, How does the Horton Principle apply to key-definition records? (are my posts showing up)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 8 Sep 2003 12:45:59 -0700
Suppose I have some encrypted data. The data is also authenticated
using a MAC, and furthermore all data that affects its meaning but is
not part of the actual encrypted data (e.g. "headers" or "meta-data")
is subject to the MAC. I understand that.
But there is one piece of meta-data in particular that has me
wondering. What about a key-definition record? A simple
key-definition might contain a prompt string, "Enter password one",
and parameters specifying how to convert the string to a binary key.
Does this key-definition record get a MAC? "Why not?" one may ask.
Well, the only thing it can be authenticated with is the very key it
accesses, and this provides a quick way to brute-force a key search.
So perhaps it is actually a bad idea to include a MAC for this! Is
it?
If someone changed the prompt to "Enter password two", then someone
who follows the directions will not authenticate the message, which is
exactly what would happen if the key-definition was MAC'ed. Putting a
MAC on the key definition seems to be a way to validate keys without
doing much work.
But it bugs me that someone could indeed tamper with the prompt and go
undetected. Here is one way to exploit that: if nobody notices, then
the attacker knows that password one and password two are actually the
same.
I wonder if there is some algorithm other than a typical MAC (e.g.
keyed hash over the body of the record) that can be used to detect
tampering without making it simple to test keys. For example, iterate
the hash 2-to-the-n times like with key strengthening.
--John
- Next message: Steven: "Re: Guarantee of finding a prime in a fixed interval?"
- Previous message: Anton Stiglic: "Guarantee of finding a prime in a fixed interval?"
- Next in thread: ScottD: "Re: Question on proper MAC usage; or, How does the Horton Principle apply to key-definition records? (are my posts showing up)"
- Reply: ScottD: "Re: Question on proper MAC usage; or, How does the Horton Principle apply to key-definition records? (are my posts showing up)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
