5

Is appending the hash of the plaintext to the end of an encrypted message sufficient to ensure integrity?

My reasoning is that the attacker doesn't know all the plaintext, so by having a hash, the attacker will be able to change the message, but will be unable to recalculate the hash.

Are there any flaws in my reasoning, besides the case where the attack knows the whole plaintext?

To be clear, this is $\text{E}(\text{data})|\text{H}(data)$, it is not $\text{E}(\text{data}|\text{H}(data))$

flaviut
  • 153
  • 5
  • No. $:$ No. $:$ Yes; the attacker might know the hash of the to-be-forged plaintext, without knowing the whole plaintext. $;;;;$ –  Sep 14 '14 at 18:59
  • Related: Is the encryption of a hash a good MAC? – otus Sep 14 '14 at 19:28
  • 1
    @otus This is slightly different, the hash isn't encrypted in this case, and there is not a key concatenated with the data. However, that link is great for reading, thanks! – flaviut Sep 14 '14 at 19:30
  • See http://crypto.stackexchange.com/q/16428/351 and http://crypto.stackexchange.com/q/9941/351 and http://security.stackexchange.com/q/13800/971 and http://crypto.stackexchange.com/q/11440/351, all of which answer your question. – D.W. Sep 17 '14 at 04:24
  • 1
    @D.W. Those are all $\text{E}(\text{data}|\text{H}(\text{data}))$, except for 11440, which also has variations on $\text{E}(\text{data})|\text{HMAC}(\text{data})$. I've edited my question to clarify. I will be reading them however, they are very much related to this question. – flaviut Sep 18 '14 at 02:57

1 Answers1

3

Is appending the hash of the plaintext to the end of an encrypted message sufficient to ensure integrity?

Not in the sense of authentication. Such a construction is malleable for many reasonable encryption algorithms. It also leaks the plaintext to anyone who can guess it, since they can calculate $h(P_i)$ for guesses (brute force or dictionary attack) and compare to the hash value.

As for malleability, if the cipher is a stream cipher and the attacker can guess that the message is $A$, then they can turn it to an equally long message $A'$ by calculating a new ciphertext $C' = C \oplus A \oplus A'$ and replacing the old hash with $h(A')$.

CTR, OFB etc. modes are essentially stream ciphers so the above applies. Similar attacks, perhaps more limited, are possible against some other block cipher modes as well. For example, with CBC the attacker can replace the last message block with some earlier block to make a deterministic change to the message (xor by a xor of certain ciphertext blocks). They can then calculate the new hash and replace.

Even if you encrypted the hash, to avoid guessing, it might still not be a secure MAC. Further, if is was, you would be using encrypt-and-MAC since the hash is over the plaintext. Encrypt-then-MAC has some advantages over it.

If this a real world scenario, consider instead appending an HMAC of the ciphertext or using an authenticated encryption mode.

Community
  • 1
otus
  • 32,132
  • 5
  • 70
  • 165