Is Encrypt(m||k2, k1) secure authenticated encryption?

Question

I don't fully understand the need for MAC algorithms to authenticate encrypted messages. As I understand, the standard is to send something like $\mathrm{E}(m,k) \| \mathrm{MAC}(m,k)$ where $E$ is an error-propagating block cipher, $k$ is an encryption key.

Would it not be easier simply to send $\mathrm{E}(m\|s,k)$ where $s$ is a salt shared across the system? After decryption, the receiving user can simply check that the last $\mathrm{len}(s)$ bytes of the message match $s$ to check its authenticity.

Which mode of operation are you using? With most modes (including ECB, CBC, CFB, OFB and CTR) there are attacks against this construction. — CodesInChaos, Jul 24 '17 at 19:09
@Eoin : One would also need to be confident that the mode of operation preserved error-propogation. — , Jul 25 '17 at 04:57
Just saying "error-propagating" is not enough. No popular unauthenticated mode of operation has the properties required to make this secure (SIV has, but it's already authenticated). — CodesInChaos, Jul 25 '17 at 08:21
@Eoin, just a note: it's usually recommended to use a MAC of the encrypted message, i.e. send $ \mathrm{E_{k1}}(m) | \mathrm{MAC_{k2}}(\mathrm{E_{k1}}(m)) $ (with separate keys for $ \mathrm{E} $ and $ \mathrm{MAC} $, of course) — ilkkachu, Jul 25 '17 at 11:08

score 17 · Answer 1 · answered Jul 24 '17 at 19:10

17

Would it not be easier simply to send $E(m||s,k)$ where s is a salt shared across the system?

Yes, that would be simpler; however, that would not (in general) be secure.

The assumption you are making is that if someone modifies the ciphertext in any way, then the last few bits of the resulting plaintext must also be modified. This is often not the case:

If we are using CTR mode, then someone modifying byte $i$ of the ciphertext will cause byte $i$ of the plaintext to be modified, without any other changes. So, the attacker can avoid this protection by simply limiting his changes to the first part ($len(m)$) of the ciphertext
If we are using CBC mode, then someone modifying block $i$ of the ciphertext will cause blocks $i$ and $i+1$ of the plaintext to be modified; assuming that attacker does not modify that last two blocks of the ciphertext, his modifications will be undetected.

answered Jul 24 '17 at 19:10

poncho

147,019
11
229
360

1

For CBC mode it might also allow padding oracle attacks in which case not only the integrity and authenticity would be at risk but also the confidentiality of the plaintext - negating any security provided by the cipher. – Maarten Bodewes Jul 24 '17 at 23:22
Sorry, I should have mentioned: I was operating under the assumption that the block cipher had error-propagation. Edited. – user2972359 Jul 25 '17 at 00:54
1

OpenPGP is using this protection, it is called MDC in combination with The CFB variant. But it is just a incomplete protection in Oracle scenarios. like discussed here https://eprint.iacr.org/2005/033.pdf – eckes Jul 25 '17 at 05:40
@eckes Isn't that an encrypted hash instead of an encrypted fixed key? – CodesInChaos Jul 25 '17 at 09:14
@CodesInChaos yes indeed, and some salt bytes for a good measure – eckes Jul 25 '17 at 16:30
@Eoin: It doesn't suffice to just say that you're assuming the cipher is "error-propagating" without defining what you mean by that. For example, CBC mode is often said to be error propagating precisely because of the property that poncho described. And yet as poncho points out your construction is not secure when instantiated with CBC. – Luis Casillas Jul 25 '17 at 21:03
What if $s$ was the first block of data to be encrypted in CBC mode? – Melab Sep 20 '17 at 20:35

Is Encrypt(m||k2, k1) secure authenticated encryption?

1 Answers1