Cryptography Reference
In-Depth Information
• Alice sends an email message
My big idea for the next flavour of crisps is
chicken korma
to Bob. She attaches MAC
K
A
(message) to this message.
• Charlie intercepts the email message and thinks the idea is a very good
one. Charlie has a dishonest streak and so he removes the MAC from Alice's
message and replaces it by his ownMAC
K
C
(message). In other words, Charlie
'steals' Alice's message and passes it on to Bob with his own MAC, hence
claiming the idea.
Thus Bob receives a message, with a correct MAC, that appears to come from
Charlie. Unknown to Bob, however, the original message originated with Alice.
(a) Is this an example of a MAC being used without data origin authentication
being provided?
(b) How could Alice have easily avoided this problem?
14
. A simple proposal for a MAC algorithm consists of letting the MAC of message
M
(which consists of message blocks
M
1
,
M
2
,...,
M
n
) be the AES encryption
with key
K
of the XOR of all the message blocks. In other words:
MAC
K
(
M
)
=
E
K
(
M
1
⊕
M
2
⊕···⊕
M
n
)
.
Explain why this is a bad idea.
15
. The description of CBC-MAC that we gave in Section 6.3.3 is oversimplified.
(a) Find out what additional operations are conducted in a version of CBC-MAC
that is approved by a relevant standards body (for example, CMAC).
(b) Why is our simplified version of CBC-MAC regarded as insecure in practice?
16
. HMAC describes a means of creating a MAC from a hash function.
(a) Provide an informal explanation of why the construction
h
(
K
||
M
)ofaMAC
from a hash function is not regarded as secure, where:
•
h
is the underlying hash function;
•
K
is a symmetric key;
•
M
is a message.
(b) Explain one 'obvious' way of trying to create a hash function from a MAC.
(c) Why might the above technique not give you a secure hash function?
(d) How does the standardised version of HMAC differ from the simplified one
in this chapter?
17
. Suppose that Alice wishes to send a confidential message to Bob that starts
with a delivery address. Alice decides to use a block cipher in CBC mode and
sends the IV to Bob followed by the ciphertext.
(a) Explain why an attacker who modifies the IV has a good chance of changing
the delivery address.
(b) What general fact about encryption does this attack illustrate?
