picking a hash function to be encrypted

Eric Rescorla ekr at rtfm.com
Sun May 14 19:36:10 EDT 2006


"Travis H." <solinym at gmail.com> writes:

> So...
>
> Suppose I want a function to provide integrity and authentication, and
> that is to be combined with a stream cipher (as is the plaintext).  I
> believe that authentication is free once I have integrity given the
> fact that the hash value is superencrypted using the stream cipher,
> whose key is shared by only the sender and recipient.

It's not safe to use a hash function this way if the content is known
to the attacker.

Consider the case where you're transmitting message M. The 
hash is H(M). You then encrypt (M || H(M)), generating
K XOR (M || H(M)). If the attacker knows M and H, he can
compute (M || H(M)) and compute K. Then he can re-encrypt
a message M' of his choice.

If you want integrity with a stream cipher you'd really
be much better off using a MAC. 

-Ekr

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list