Re: MAC / MIC / MD for short messages

Michael Meier wrote:
Hi,

hm, so to ensure that an attacker needs to break all two methods, I
encapsulate the methods with authentication-first. If I do the
encryption and authentication like this K{message | MAC}, I should have
ensured, that an attacker first needs to break the AES encryption to be
able to mess with the MAC code.
Now if we regard the encryption as secure, it shouldn't be necessary
any more to use an extremely strong MAC.

For a short MAC (say, 32 bits or fewer), a brute force attack works just as well whether the MAC is encrypted or not, right?

Then, the MAC ensures checking
for the correct decryption of the packet, but it is not target of an
attack any more, isn't it?

Sounds plausible, but it would be better to have a proof.

(Ok, now I cannot check the integrity of the packet any more before
decrypting it)

You'd have to decrypt the MAC to check it, but not necessarily decrypt the message. Just because you're encrypting the MAC doesn't mean that the MAC has to be of the plaintext. You could encrypt a MAC of the message's ciphertext. If you're using a stream cipher, you could reserve earlier bits of the stream for use on the MAC, so that later bits in the stream don't have to be generated by the recipient if the MAC check fails.


For me this method seems to be better than K{message} | MAC , (like it
is done with CCM). Now, the MAC is target of a possible forgery attack
to alter the encrypted packet and it is neccessary to use a long MAC,
e.g. 128 bits to secure it.

A proper MAC truncated to 64 bits still takes an attacker a long time to forge.

--Mike Amling
.

Relevant Pages

  • Re: Order of Encryption and Authentication
    ... >>encryption should be done before authentication. ... >>ciphertext and forge a mac. ... >>and the mac of the plaintext, the attacker would have to recover both ... Known plaintext and encryption by XORing the plaintext with the ...
    (sci.crypt)
  • Re: MAC / MIC / MD for short messages
    ... encapsulate the methods with authentication-first. ... that an attacker first needs to break the AES encryption to be ... able to mess with the MAC code. ...
    (sci.crypt)
  • Re: electronic signatures
    ... signature, and if the gubmint can demand decryptions of data encrypted using ... attacks possible if the attacker has direct access to this mathematical ... a different algorithm for encryption. ... _compel_ you to decrypt it. ...
    (sci.crypt)
  • Re: Order of Encryption and Authentication
    ... Known plaintext and encryption by XORing the plaintext with the ... > If the attacker obtains key2, they can alter the ciphertext and generate ... > a new mac for it; the receiver would validate the mac and ... The whole point of using a MAC is that the encryption does not provide ...
    (sci.crypt)
  • Re: Can this be done with a symmetric cipher?
    ... Use CTR mode. ... So you'd have to store the IV and MAC outside of Cfor your scheme to ... then the "inner" encryption is undone using key X. ... without needing to decrypt to the plaintext ...
    (sci.crypt)
Quantcast