Cryptography Reference
In-Depth Information
•
In the
secret suffix
method,
k
is a suffix to
m
and
h
is applied to the composite
message (i.e.,
MAC
k
(
m
)=
h
(
m
k
));
•
In the
envelope
method, there are two keys
k
1
and
k
2
that are a prefix and a suf-
fix to
m
.Again,
h
is applied to the composite message (i.e.,
MAC
k
1
,k
2
(
m
)=
h
(
k
1
m
k
2
)).
The three methods and some variations thereof are overviewed and briefly
discussed next. The first two methods are insecure. They were, however, still used
in version 2 of the simple network management protocol (SNMP).
If one uses an iterated hash function (e.g., MD5 or SHA-1), then another
method to key the hash function is to use the IV, meaning that the otherwise fixed
IV is replaced by
k
. If the IV (and hence the key
k
)is
l
bits long (according to the
notation introduced in Section 8.2), then this method is bascially the same as the
secret prefix method addressed first.
11.2.2.1
Secret Prefix Method
As mentioned earlier, the secret prefix method consists of prepending a secret key
k
before it is hashed with the cryptographic hash
function
h
. The construction is as follows:
∈K
to the message
m
∈M
MAC
k
(
m
)=
h
(
k
m
)
If
h
is an iterated hash function, then the secret prefix method is insecure.
Anybody who knows a single message-MAC pair can selectively forge a MAC for
a message that has the known message as a prefix. If one considers Figure 8.2 and
the way an iterated hash function
h
is constructed (using a compression function
f
),
then one easily notices that
t
i
+1
=
h
(
k
m
1
m
2
...
m
i
+1
) can be computed
from
t
i
=
h
(
k
m
1
m
2
...
m
i
) as follows:
t
i
+1
=
h
(
t
i
m
i
+1
)
Consequently, if one knows
t
i
and
m
i
+1
, then one can compute
t
i
+1
without
knowing
k
. Consequently, the messages for which a MAC can be selectively forged
are restricted to those having a message with a known MAC as a prefix. This
restriction is not very strong.
Tsudik was aware of this type of
message extension
or
padding attack
, and he
suggested three possibilities to protect against it:
