Cryptography Reference
In-Depth Information
•
Only part of the hash value is taken as output (e.g., only 64 bits);
•
The messages are always of fixed length;
•
An explicit length field is included at the beginning of a message.
Neither of these possibilities is very comfortable, and hence the secret prefix
method is seldom used in practice.
11.2.2.2
Secret Suffix Method
Because of the message extension attack against the secret prefix method, the secret
suffix method seems to be the preferred choice. As mentioned earlier, the secret
suffix method consists of appending the key
k
to the message
m
before it is hashed
with the cryptographic hash function
h
. The construction is as follows:
MAC
k
(
m
)=
h
(
m
k
)
If
h
is an iterated hash function, then the secret suffix method has a structural
problem.
3
Whether this problem is serious or not depends on the compression
function (of the hash function in use). The structural problem is due to the fact
that the MAC is a function of some known values
4
and the key, assuming the key
is passed entirely to the last iteration of the compression function. Consequently, an
adversary may see the result of applying the compression function to many different
known values and the same key. This means that he or she may perform a known-
message attack against the compression function. While it is unlikely that currently
used compression functions reveal information about the key, other cryptographic
hash functions may not fare as well, and one may go for a more secure design in the
first place.
11.2.2.3
Envelope Method
The envelope method combines the prefix and suffix methods. As mentioned earlier,
the envelope method consists of prepending a key
k
1
and appending another key
k
2
to the message
m
before it is hashed with the cryptographic hash function
h
.The
construction is as follows:
3
The secret prefix method has the same problem, but only when the message is very short (i.e., if
there is only one iteration of the compression function).
4
The known values are (1) the next-to-last chaining value, which by assumption depends only on the
message, (2) the last part of the message, and (3) some padding.
