Re: David's authenticated encryption mode.

Tom St Denis wrote:
It looks nice, but my concern is that an attacker can learn the
intermediate values of H[0], H[1], etc before the final output. Will
that affect the security of the MAC?
Tom

Thanks for thinking it looks nice. And yes, that the attacker can guess
some of the intermediate hashes probably is the main concern. I am no
cryptanalyst, but as far as I understand it should not be a problem for
several reasons:

The attacker can not figure out any previous state from a guessed
intermediate hash since it comes out of a secure one-way function.

And he can not learn any later state since it gets XORed with the key
again and then sent into the next secure one-way function that will mix
it up very well.

And if the attacker changes one encrypted block in transit he can only
in a controlled manner affect one cleartext block but the MAC will be
garbled and thus the attack detected by the receiver. The attacker can
not fix that by changing one of the following ciphertext blocks since
in the next block operation the intermediate hash he did change will be
so mixed up that he doesn't know how to fix that in the later blocks.

I hope my assumptions hold...

For those of you that don't see it: An attacker can guess a cleartext
message block, XOR that with the corresponding ciphertext block and
thus get the corresponding intermediate hash. Thus "guessing" an
intermediate hash.


By the way Tom, I love your crypto programming library.


Greetings from sunny Gothenburg, Sweden, Northern Europe,

.../David

--------------------------------
David Göthberg
http://www.pjort.com
Email: david(a)pjort.com
--------------------------------

.

Relevant Pages

  • Re: [RFC][PATCH] Make cryptoapi non-optional?
    ... > attacker to get any kind of recognized patterns. ... the random state has zero entropy until the first ... network packet arrives or the pool can be seeded from saved (and well ... SHA revealing more than zero bits of useful entropy per hash. ...
    (Linux-Kernel)
  • Re: Extending a secure zone to an insecure zone
    ... My goal is to prevent the customer from reading another customer's ... Now the attacker ... > know the hash of the plaintext to decrypt the plaintext. ... key you used for the MAC. ...
    (sci.crypt)
  • Re: Firewall vs. IPS - Differences now (ISS, Intrushield 2.1?)
    ... > You risk running out of memory. ... That's like saying "it's trivial to DoS Aho-Corasic if you know the ... DoS's and improvements via use of the Jenkins hash are most illuminating. ... > replacement policy gives the worst behavior since an attacker can flood ...
    (Focus-IDS)
  • Re: newbie: please help...just your opinion
    ... knowing both gives you the first key char. ... > only if the bits of rand# and pre-xor hash were different or equal... ... > presence of a new char in the ciphertext - one should try to add only ... So imagine an attack where the attacker guesses the length of the ...
    (sci.crypt)
  • Re: Short Hash codes
    ... >> computation of the hash, a password as well as sequence data known to ... > from Alice to Bob, and you want Bob to be able to verify the message is ... If the attacker were to make ... then the maximum acceptable probability level is quite small. ...
    (sci.crypt)