Re: Humble Contribution
From: Nicol So (anonymous_at_no.spam.please)
Date: 01/31/04
- Next message: Bill Unruh: "Re: FFT test with few kbits"
- Previous message: Tom St Denis: "Re: Help with cypher"
- In reply to: Brian Ross: "Re: Humble Contribution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 31 Jan 2004 14:20:31 GMT
Brian Ross wrote:
> "Phil Carmody" <thefatphil_demunged@yahoo.co.uk> wrote:
>
>>It permits someone to append "Only Joking!!!" to a message and recompute
>>the hash as if he were the originator of the original. It's an attack,
>>it's just not attacking what you think it's attacking.
>
> This is why I was confused and why it wasn't entirely clear what you were
> saying is possible...
>
> It is _NOT_ true that you can append "Only Joking!!!" to the message and
> recompute the hash (and I don't think that is what you mean to say). It is
> true that you can append some binary 'junk' (padding/length bytes from
> original message) and then "Only Joking!!!". This is are two things which
> are very different, IMHO.
It is true that based on the attack discussed, you cannot just append
"Only Joking" without appending some addition binary junk as well.
However, the semantics of what is hashed is application-dependent.
It is conceivable that in some applications, the message format allows
arbitrary junk to be embedded. This is not far-fetched: if the message
itself is data originally received from another noise channel, the
message is expected to contain some segments of random garbage.
Concrete examples of hash functions are often modeled as random
functions. Of course, we know that they're not random functions, but
(perhaps unjustifiably) we don't seem to expect to notice a difference
in real applications. This is where a message-extension property breaks
the abstraction. If SHA-1, MD5 etc indeed behave like random functions,
we expect H(K||M) to be a secure MAC construction. This is because for a
random function, H(K||M) and H(K||M') are unrelated, for any distinct M
and M' (an example of which is M' = M||Y, for some Y).
The message-extension property of real hash functions allow MACs to be
forged in the above MAC construction. And the forgery can be done
without knowledge of the secret key K.
> After thinking about this - I am curious what security 'holes' might be
> exposed by this? Honestly, I can't think of a single reason why it would
> matter that this is possible (but I am no expert). If you want to supply a
> faked message and a new unique hash - who cares if it happens to contain the
> other message as a prefix? How would this be any worse than, lets say, just
> completely replacing the message and providing a new unique hash? It isn't
> like you are relying completely on the hash as a method for providing
> signatures?
You're trying to reason about the (in-)security of hash functions in
terms of specific application scenarios. The problem is, you may not
know all the possible ways people may want to use a hash function. If a
hash function breaks the abstraction, it may differently from what you
expect, in some arbitrary way.
-- Nicol So Disclaimer: Views expressed here are casual comments and should not be relied upon as the basis for decisions of consequence.
- Next message: Bill Unruh: "Re: FFT test with few kbits"
- Previous message: Tom St Denis: "Re: Help with cypher"
- In reply to: Brian Ross: "Re: Humble Contribution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
