Cryptography Reference
In-Depth Information
appends the hash value to the message, and encrypts the result with the block cipher
in CBC mode. In this case, two passes are still required, but only one pass comprises
the computation of a hash value. Some alternative constructions that don't require
an encryption in CBC mode are addressed next.
11.2.2
MACs Using Keyed Hash Functions
The idea to use cryptographic hash functions to protect the authenticity and integrity
of data and program files dates back to the late 1980s [7]. In the early 1990s,
people started to think more seriously about the possibility of using cryptographic
hash functions (instead of symmetric encryption systems) to efficiently authenticate
messages. In fact, there are a couple of arguments in favor of using cryptographic
hash functions:
•
There are a number of cryptographic hash functions in widespread use (refer
to Chapter 8 for an overview);
•
Cryptographic hash functions can be implemented efficiently in hardware
and/or software;
•
Many implementations of cryptographic hash functions are publicly and freely
available;
•
Cryptographic hash functions are free to use (meaning, for example, that they
are not subject to patent claims and/or export controls);
•
Cryptographic hash functions have well-defined security properties, such as
preimage resistance, second-preimage resistance, and collision resistance.
Some of these arguments have become obsolete (e.g., export restrictions),
whereas others still apply (e.g., widespread availability and use) and will likely apply
in the forseeable future (e.g., efficiency).
Against this background, Li Gong and Gene Tsudik first proposed an encryption-
free message authentication based on keyed one-way hash functions instead of a
symmetric encryption system [8, 9].
2
More specifically, Tsudik proposed and dis-
cussed the following three methods to authenticate a message
m
∈M
using a
one-way hash function
h
and a secret key
k
∈K
:
•
In the
secret prefix
method,
k
is a prefix to
m
and
h
is applied to the composite
message (i.e.,
MAC
k
(
m
)=
h
(
k
m
));
2
An earlier version of [9] was presented at IEEE INFOCOM '92.
