Re: AES MAC security question
From: Joseph Ashwood (ashwood_at_msn.com)
Date: Mon, 04 Jul 2005 01:43:27 GMT
"Mike Amling" <firstname.lastname@example.org> wrote in message
> Rein Anders Apeland wrote:
>> Now, that were some ideas I liked, thank you! Limit processing to
>> e.g. one packet per second and having a shared secret included in
>> the MAC too.
> The MAC key is already a shared secret, no?
It is, but it is revealed implicitly. Adding the padding secret raises the
effective bar beyond what can be safely done, even though it does not raise
the information theoretic bar. With the 32-bit MAC and the timeframes
available many times (e.g. my car has been parked within 100 feet of a
single location for about 5 years now) this gives opportunity to the real
world hacker. The information theoretic attack would be building a counter
of some kind from usage, while the real world attacker would be guessing
MACs. The information theoretic attack is not affected in any way by the
padding, instead relying on the security of AES to prevent a break. The real
world attacker gains no information from the minimal number of samples
available. Through combining these two (at night scan the car, log the data
whenever a legitimate use is made) the target begins to fall, but will only
fall to the minimum of the two. The secret padding raises the real world bar
some brining it closer to the information theoretic bar, at least hopefully.
My goal was to keep the computation bar at the same height, but raise the
attack bar in any way possible even if it's millimeters at a time.