One should not use SHA for MAC, because knowing SHA(key || message) and message you can construct SHA(key || message || forgery) without knowing the actual key. I read somewhere that one shouldn't use SHA(message || key) as MAC. Why? Here || means string concatenation.
Asked
Active
Viewed 174 times
1
srututu
- 11
- 1
-
Strongly related: Why is MAC using nonce+message+hash(nonce+message+identifier) not the standard? – SEJPM Sep 23 '17 at 21:16
1 Answers
1
If you know a length-preserving collision, that is, two distinct messages $M_1, M_2$ of the same length with $\operatorname{SHA}(M_1) = \operatorname{SHA}(M_2)$, then you know apriori that two messages $M_1 || \text{Pad}(M_1)$ and $M_2 || \text{Pad}(M_2)$ (where $\text{Pad}$ is the SHA padding function) will evaluate to the same value (and hence the MAC is broken).
This immediately shows that this MAC is insecure if instantiated with SHA-1.
