SHA-based encryption function in Python
David Wagner
daw at mozart.cs.berkeley.edu
Thu Apr 25 14:57:30 EDT 2002
Paul Rubin wrote:
>Anyway, I begin to miss my original scheme of hashing under the
>encryption (MAC-then-encrypt):
> ciphertext = encrypt(plaintext + H(plaintext))
>The Bellare/Namprempre article list this scheme as insecure but I
>don't understand the reasons yet.
Yeah. A lot of people find this counter-intuitive.
(The question seems to come up about once every 6 months here
on sci.crypt.) Fortunately, I saved my answer from the last time. :-)
The following attack assumes encrypt() uses CBC mode encryption,
though the comments apply to most of the common modes of
operation.
Suppose you want to make the receiver think message M was sent,
even thought the sender would never authorize this. Then you
should construct M' = M || H(M) || X, where X is arbitrary and
where || denotes concatenation (it better be at block boundaries).
Ask the sender to transmit M'; he will form M' || H(M'), encrypt
it with CBC mode, and transmit the result. Now you can truncate
the ciphertext, snipping it just before the "X" part, and the
receiver will think M was sent, which is an integrity failure.
More information about the Python-list
mailing list