SHA-based encryption function in Python

[Richard Parker]

Paul Rubin at phr-n2002a at nightsong.com wrote on 4/24/02 1:41 AM:

> Richard Parker <richard at electrophobia.com> writes:
>> I just took a quick look at your Python code.  I'd encourage you to not use
>> the secret prefix method to construct a MAC from a hash function, i.e.
>> MAC(x) = H(K || x).  This method is generally considered to be insecure.
>> Use the HMAC construction instead.
> 
> Thanks.  What's the real deal with this?  Is an insecurity known, when
> K and X are the output of encryption functions, and not chosen by
> attackers?  

The secret prefix method is vulnerable to an "appending" attack.  An
attacker given a message-MAC pair can compute, without the key, the correct
MAC for a new message that has the original message as a prefix.  In the
case where you are using a MAC as an authentication code you are applying
the MAC to the ciphertext, so the new message will verify as valid, but once
decrypted it will likely have a garbage suffix.  Many applications will
detect this modification, but it could well be a problem for some
applications.  The fact that you truncate your authentication code provides
resistance to this attack, however it still a good idea to use a MAC
construction that is not vulnerable to this kind of attack.

> I know that HMAC tries to be robust under unknown weakness
> of the underlying hash function, but since the OFB mode encryption
> depends on the hash function being strong, HMAC likely doens't help
> that much.  

The portions of your code that use H() just as a hash function don't need to
use HMAC.

> Do you think it matters in practice, given that this is
> running in an interpreted language on a general purpose PC?

Yes.  I think it is an unnecessary limitation.  If a client of your library
uses it to protect something valuable, an attacker is unlikely to have the
same limitations.  The authentication code is an important part of the
security of an encryption scheme, don't neglect it.

-Richard