0

assume i have:

One-key cipher: E.

Hash: H

My application is authentication. I have a shared secret key with Bob for the One-key cipher.

So, when I send an message to Bob, I also send an authentication code. It is over an insecure channel, so I may have man-in-the-middle attack, etc.

I wonder if below schemes for authentication code are safe or have special weakness.

  1. M and H(E(M))

I apply one-key-encryption to the message and then hash it.

any problem with this scheme?

  1. M and E(H(M))

I hash the message then apply one-key-encryption to the hash value.

in this scheme, the attacker may change M and H(M), but without knowing the secret key, no way for him to generate E?

(they key point is not to argue that E can be an insecure scheme. the question here is, over an insecure channel, if E is secured by a shared secret and H is collision resistant, is that any difference to H(E(M)) and E(H(M))? any comparative advantage or disadvantage to these two schemes.. appreciated for advice)

it seems to me both schemes are same and fine, but I am not sure..

pianobegginer
  • 49
  • 5
  • One-key cipher = OTP? What it is exactly? Not a clear question. You should see Should we MAC-then-encrypt or encrypt-then-MAC? – kelalaka Oct 26 '20 at 14:05
  • you can assume E as en encryption transformation based on one-key cipher, in other words, it is secure. – pianobegginer Oct 26 '20 at 14:19
  • @pianobegginer Um, "encryption transformation based on one-key cipher" is not guaranteed to be secure. ECB is not secure. CBC-PKCS#5 is not secure over a transport protocol. Furthermore, even if the cryptographic algorithms would be secure, then you'd still have replay attacks etc. Should we discount all of those attacks? Note, that last sentence is a sincere question, not a rebuttal. – Maarten Bodewes Oct 26 '20 at 14:45
  • 1
    Congratulation for doubting your first intuition when it concludes something is secure. Hint: detail the verification procedure for the proposed schemes. Then picture yourself as an attacker. The attacker knows all that's exchanged, procedures, and functions (except the key for E), and attempts to coerce the verification procedure into accepting anything not intended. Since E is unspecified, E can be any cipher providing confidentiality, e.g. a block cipher in one of these operating modes except ECB. – fgrieu Oct 26 '20 at 14:53
  • as mentioned, you may assume the one-key cipher is secure, if it is secure, is H(E(M)) and E(H(M)) secure? are they any difference? thx for advice. – pianobegginer Oct 26 '20 at 14:55
  • The point is that this looks very much like an assignment, and we haven't seen any reasoning from your side why one would be secure or not. Generally we only hint in that case. There is too much information missing to know if these schemes are secure or not in a practical setting. As additional hint: I can definitely find a configuration where #2 is not secure, assuming that $E$ is encryption with a key stream. – Maarten Bodewes Oct 27 '20 at 10:16
  • yes, E could be a key stream, a one-time pad, why #2 is not secure? isn't one-time pad secure to encrypt any message as long as the key length of otp is as long as message length? thx for advice. – pianobegginer Oct 27 '20 at 13:29

0 Answers0