What are the security risks, if I use a hash function $H$ such that $Y=H(K||M||N)$ where $K$ is a secret key, $M$ is a message, $N$ is a nonce and $||$ is concatenation operation (where the length of $K||M||N$ is fix and is less than or equal to block size of the hash $H$)?
Asked
Active
Viewed 76 times
1
-
Duplicate? https://crypto.stackexchange.com/q/1070/49826 – Squeamish Ossifrage Dec 22 '17 at 17:00
-
Presumably the nonce is known to the attacker, correct? – mikeazo Dec 22 '17 at 17:20
1 Answers
1
In general, the construction $H(K||M||N)$ where $H, Y, N$ are known to an attacker is arguably no more secure than $H(K||M)$, which we already know to be broken. For that latter construction, we can easily forge a MAC of the form $K||M||PADDING||Z$ for some message $Z$.
This same attack would apply to the construction proposed in the question, except the forgery would be of the form $K||M||N||PADDING||Z||N$. This attack is feasible on many currently used hash functions, however, is not feasible on the new SHA-3.
mikeazo
- 38,563
- 8
- 112
- 180
-
I think the message extension attack is only valid if an attacker can extend the length of the modified message. What if all the parameters M,K and N are fixed in length and collectively they are less than equal to the block size of the hash as I have indicated in the question. – prosaad Dec 22 '17 at 19:30
-
If that is guaranteed, then clearly the attack wouldn't work and like there is no other attack. That said, usage typically changes over time and you may quickly find yourself in a use case where the attack does work. So I would still stick to known good standards. – mikeazo Dec 23 '17 at 03:10