Proper MAC usage?
From: John M. Dlugosz (john_at_dlugosz.com)
Date: 09/10/03
- Next message: David Wagner: "Re: So was GSM or UMTS crypto broken?"
- Previous message: Ernst Lippe: "Re: Cryptoengines with usage accounting"
- Next in thread: Kevin Buhr: "Re: Proper MAC usage?"
- Reply: Kevin Buhr: "Re: Proper MAC usage?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 10 Sep 2003 07:44:20 -0700
Suppose I have some encrypted data. The data is also authenticated
using a MAC, and furthermore all data that affects its meaning but is
not part of the actual encrypted data (e.g. "headers" or "meta-data")
is subject to the MAC. I understand that.
But there is one piece of meta-data in particular that has me
wondering. What about a key-definition record? A simple
key-definition might contain a prompt string, "Enter password one",
and parameters specifying how to convert the string to a binary key.
Does this key-definition record get a MAC? "Why not?" one may ask.
Well, the only thing it can be authenticated with is the very key it
accesses, and this provides a quick way to brute-force a key search.
So perhaps it is actually a bad idea to include a MAC for this! Is
it?
If someone changed the prompt to "Enter password two", then someone
who follows the directions will not authenticate the message, which is
exactly what would happen if the key-definition was MAC'ed. Putting a
MAC on the key definition seems to be a way to validate keys without
doing much work.
But it bugs me that someone could indeed tamper with the prompt and go
undetected. Here is one way to exploit that: if nobody notices, then
the attacker knows that password one and password two are actually the
same.
I wonder if there is some algorithm other than a typical MAC (e.g.
keyed hash over the body of the record) that can be used to detect
tampering without making it simple to test keys. For example, iterate
the hash 2-to-the-n times like with key strengthening.
--John
- Next message: David Wagner: "Re: So was GSM or UMTS crypto broken?"
- Previous message: Ernst Lippe: "Re: Cryptoengines with usage accounting"
- Next in thread: Kevin Buhr: "Re: Proper MAC usage?"
- Reply: Kevin Buhr: "Re: Proper MAC usage?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
