Authentication
in [Cryptography]
|
Prev: Announcing a new Chaocipher-related paper: Deciphering Exhibit #1 from John F. Byrne's "Silent Years"
Next: [M-R test] Formula for p(k,t)
From: Mok-Kong Shen on 9 Aug 2010 01:54 Let C = E(K,P) denote a block encryption processing. I intend to apply authentication as follows (n=number of blocks): S[0] = IV; for (i=0; i<n; i++) { C[i] = E(K,S[i]^P[i]); S[i] = E(K,S[i]^P[i]^C[i]); } S[n-1] = authentication. Are there any security problems in this? Has this been done anywhere? It is clear that, unlike CBC, if any C[i] has transmission error, then all following blocks would be garbled. However, firstly, modern transmssion protocols have sufficiently good error correction at lower layers and secondly, such garbling could even be considered as an advantage, since any modification of C by a third person would have a higher chance of being detected. Thanks in advance. M. K. Shen -------------------------------------------------------------------- [OT] In an attempt to reduce annoyance to the general readers, I am unfortunately forced to forgo any opportunities of discussion with those, who have the unnice impulse (urge, "Drang" in German) to overload their posts with bandwidth-wasting personal stuffs and/or bad words, by placing them into my kill-file. Those who dislike my posts for whatever reasons are requested to kindly put me into their kill-files as well.
From: Scott Contini on 9 Aug 2010 03:06 On Aug 9, 3:54 pm, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > Let C = E(K,P) denote a block encryption processing. I intend to apply > authentication as follows (n=number of blocks): > > S[0] = IV; > > for (i=0; i<n; i++) > { C[i] = E(K,S[i]^P[i]); > S[i] = E(K,S[i]^P[i]^C[i]); > } > > S[n-1] = authentication. > > Are there any security problems in this? Has this been done anywhere? I'm pretty sure you haven't written this correctly: Each iteration is independent from the previous. I'm pretty sure that once you fix it up, it is still vulnerable to existential forgeries. Scott
From: Mok-Kong Shen on 9 Aug 2010 12:15 Scott Contini wrote: > Mok-Kong Shen wrote: >> Let C = E(K,P) denote a block encryption processing. I intend to apply >> authentication as follows (n=number of blocks): >> >> S[0] = IV; >> >> for (i=0; i<n; i++) >> { C[i] = E(K,S[i]^P[i]); >> S[i] = E(K,S[i]^P[i]^C[i]); >> } >> >> S[n-1] = authentication. >> >> Are there any security problems in this? Has this been done anywhere? > > I'm pretty sure you haven't written this correctly: > Each iteration is independent from the previous. Thank you very much for pointing out the blunder. It should be S[0] = IV; for (i=0; i<n; i++) { C[i] = E(K,S[i]^P[i]); S[i+1] = E(K,S[i]^P[i]^C[i]); } S[n] = authentication. > I'm pretty sure that once you fix it up, it is still > vulnerable to existential forgeries. My knowledge is very poor. Could you kindly help and tell a bit more about the possible vulnerabilities. Thanks in advance. M. K. Shen
From: Scott Contini on 9 Aug 2010 17:40 On Aug 10, 2:15 am, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > Scott Contini wrote: > > Mok-Kong Shen wrote: > >> Let C = E(K,P) denote a block encryption processing. I intend to apply > >> authentication as follows (n=number of blocks): > > >> S[0] = IV; > > >> for (i=0; i<n; i++) > >> { C[i] = E(K,S[i]^P[i]); > >> S[i] = E(K,S[i]^P[i]^C[i]); > >> } > > >> S[n-1] = authentication. > > >> Are there any security problems in this? Has this been done anywhere? > > > I'm pretty sure you haven't written this correctly: > > Each iteration is independent from the previous. > > Thank you very much for pointing out the blunder. It should be > > S[0] = IV; > > for (i=0; i<n; i++) > { C[i] = E(K,S[i]^P[i]); > S[i+1] = E(K,S[i]^P[i]^C[i]); > } > > S[n] = authentication. > > > I'm pretty sure that once you fix it up, it is still > > vulnerable to existential forgeries. > > My knowledge is very poor. Could you kindly help and tell > a bit more about the possible vulnerabilities. > > Thanks in advance. > > M. K. Shen It is trivially breakable. Two attacks: (i) the first block, and (ii) extension attacks. You should be able to figure out the rest. I hope. This is very basic stuff. Scott
From: Mok-Kong Shen on 9 Aug 2010 17:51
Scott Contini wrote: > It is trivially breakable. Two attacks: (i) the first > block, and (ii) extension attacks. You should be able > to figure out the rest. I hope. This is very basic stuff. I have in the meantime also thought about a little bit myself. Would the following slight modification tighten up the matter? S[0] = E(K,IV); for (i=0; i<n; i++) { C[i] = E(K,S[i]^P[i]); S[i+1] = E(K,S[i]^P[i]^C[i]); } E(K,S[n]) = authentication. Thanks. M. K. Shen |