Why hash function (e.g. MD5) cannot be a MAC
in [Cryptography]
|
From: Ryan Chan on 7 Jun 2010 11:20 http://en.wikipedia.org/wiki/Message_authentication_code Seems most Linux ISO download site give MD5 checksum of ISO file as a kind to validate the integrity of the file, why people can't call hash function (e.g. MD5, no key, no salt) as MAC?
From: Tom St Denis on 7 Jun 2010 11:31 On Jun 7, 11:20 am, Ryan Chan <ryanchan...(a)gmail.com> wrote: > http://en.wikipedia.org/wiki/Message_authentication_code > > Seems most Linux ISO download site give MD5 checksum of ISO file as a > kind to validate the integrity of the file, why people can't call hash > function (e.g. MD5, no key, no salt) as MAC? I don't understand the question. a keyless MAC isn't a MAC. Tom
From: jbriggs444 on 7 Jun 2010 12:41 On Jun 7, 11:31 am, Tom St Denis <t...(a)iahu.ca> wrote: > On Jun 7, 11:20 am, Ryan Chan <ryanchan...(a)gmail.com> wrote: > > >http://en.wikipedia.org/wiki/Message_authentication_code > > > Seems most Linux ISO download site give MD5 checksum of ISO file as a > > kind to validate the integrity of the file, why people can't call hash > > function (e.g. MD5, no key, no salt) as MAC? > > I don't understand the question. a keyless MAC isn't a MAC. > > Tom Maybe I'm dumb enough to understand the question and guess at the answer. It's just a question about terminology, after all. A simple unkeyed MD5 hash is a "Message Authentication Code" in the sense that it can tell you whether a message posted on the web site is authentic -- if you assume the hash itself is authentic. That's a problematic assumption. A keyed MD5 hash is a "Message Authentication Code" in the sense of cryptography because it can give you some assurance that both the message and the hash are authentic based on knowledge of the shared secret key. The former use of the term "MAC" would seem to be of limited use in cryptography.
From: Tom St Denis on 7 Jun 2010 12:55 On Jun 7, 12:41 pm, jbriggs444 <jbriggs...(a)gmail.com> wrote: > On Jun 7, 11:31 am, Tom St Denis <t...(a)iahu.ca> wrote: > > > On Jun 7, 11:20 am, Ryan Chan <ryanchan...(a)gmail.com> wrote: > > > >http://en.wikipedia.org/wiki/Message_authentication_code > > > > Seems most Linux ISO download site give MD5 checksum of ISO file as a > > > kind to validate the integrity of the file, why people can't call hash > > > function (e.g. MD5, no key, no salt) as MAC? > > > I don't understand the question. a keyless MAC isn't a MAC. > > > Tom > > Maybe I'm dumb enough to understand the question and guess > at the answer. It's just a question about terminology, after all. > > A simple unkeyed MD5 hash is a "Message Authentication Code" in the > sense > that it can tell you whether a message posted on the web site is > authentic -- > if you assume the hash itself is authentic. > > That's a problematic assumption. > > A keyed MD5 hash is a "Message Authentication Code" in the sense of > cryptography because it can give you some assurance that > both the message and the hash are authentic based on knowledge > of the shared secret key. > > The former use of the term "MAC" would seem to be of limited use > in cryptography. In crypto we differentiate between integrity and authenticity. Integrity is what a hash tries to provide. Authenticity is what a signature or MAC provides. An unkeyed-MAC only provides integrity [at most, sometimes not even that, see for example universal-hash functions]. Tom
From: jbriggs444 on 7 Jun 2010 16:42 On Jun 7, 12:55 pm, Tom St Denis <t...(a)iahu.ca> wrote: > On Jun 7, 12:41 pm, jbriggs444 <jbriggs...(a)gmail.com> wrote: > > > > > > > On Jun 7, 11:31 am, Tom St Denis <t...(a)iahu.ca> wrote: > > > > On Jun 7, 11:20 am, Ryan Chan <ryanchan...(a)gmail.com> wrote: > > > > >http://en.wikipedia.org/wiki/Message_authentication_code > > > > > Seems most Linux ISO download site give MD5 checksum of ISO file as a > > > > kind to validate the integrity of the file, why people can't call hash > > > > function (e.g. MD5, no key, no salt) as MAC? > > > > I don't understand the question. a keyless MAC isn't a MAC. > > > > Tom > > > Maybe I'm dumb enough to understand the question and guess > > at the answer. It's just a question about terminology, after all. > > > A simple unkeyed MD5 hash is a "Message Authentication Code" in the > > sense > > that it can tell you whether a message posted on the web site is > > authentic -- > > if you assume the hash itself is authentic. > > > That's a problematic assumption. > > > A keyed MD5 hash is a "Message Authentication Code" in the sense of > > cryptography because it can give you some assurance that > > both the message and the hash are authentic based on knowledge > > of the shared secret key. > > > The former use of the term "MAC" would seem to be of limited use > > in cryptography. > > In crypto we differentiate between integrity and authenticity. > Integrity is what a hash tries to provide. Authenticity is what a > signature or MAC provides. > > An unkeyed-MAC only provides integrity [at most, sometimes not even > that, see for example universal-hash functions]. _IF_ you could trust that the unkeyed hash code is authentic then what possibilities exist for the associated message to match the hash and yet fail to be authentic? It seems to me that the message must be authentic in this case, barring a successful pre-image attack on the hash. Yes, I understand that if you cannot trust the provenance of the hash then you're down to integrity without authenticity. You can trust that message came to you intact from the sender you just don't know who the real sender is. Anybody could have generated a message and a hash and offered them both up. And yes, I understand that if you can trust the hash, you must have a trusted communications channel -- why not just use it? [Maybe it's low bandwidth]. Or am I still missing the point?
|
Next
|
Last
Pages: 1 2 3 Prev: Steganography: 100's or 1000's of Apps. Available Next: custom Run-time packer |