1

Possible Duplicate:
Why is H(k||x) not a secure MAC construction?

I've the following problem: two parties, A and B, share a secret key Kab. M is a plaintext message, H an unkeyed hash function

A send to B M, H( Kab | M ) (where | means concatenation).

If we want to provide data origin authentication and data integrity (no confidentiality required) my exercise states that we have to change the protocol to this:

A send to B M, H( Kab | M | Kab ).

I don't understand the difference in term of guarantees of the two protocols and thereby, why the second one is 'right' and the first one is not?

Community
  • 1
ArtoAle
  • 111
  • 1
  • 1
    See: http://crypto.stackexchange.com/questions/1070/why-is-hkx-not-a-secure-mac-construction – mikeazo Jan 28 '13 at 16:03
  • 1
    Note that the exercise assumes that the hash in question is a Merkle-Damgaard hash without truncation; if the hash was (say) SHA-3 or SHA-2-384, $H( Kab | M)$ does appear to be sufficient. – poncho Jan 28 '13 at 16:35
  • Thank you. I supposed that the problem was with 'non-ideal' hash function. Now it's clear to me, thanks! – ArtoAle Jan 28 '13 at 16:55

0 Answers0