[8282] in cryptography@c2.net mail archive
Re: IBM press release - encryption and authentication
daemon@ATHENA.MIT.EDU (Nikita Borisov)
Thu Dec 14 18:49:40 2000
To: cryptography@c2.net
From: nikitab@cs.berkeley.edu (Nikita Borisov)
Date: 14 Dec 2000 14:56:55 -0800
Message-ID: <91bj7n$ir1$1@abraham.cs.berkeley.edu>
In article <010801c064d0$b64193a0$6000a8c0@em>,
Enzo Michelangeli <em@who.net> wrote:
>Apart from the parallelization-friendliness, wouldn't the same result be
>achieved by encrypting the concatenation of the plaintext with a MAC
>implemented through a fast error detection code (say, a sufficiently long
>CRC)? Due to the presence of encryption, the security properties of the
>inner MAC don't appear to really matter (as they would in the "DES-CBC
>first, then HMAC-MD5" scenario mentioned in the draft for comparison).
I may be misunderstanding what you are suggesting, but the construction
that uses an encrypted CRC as a MAC is insecure. Eg. Stubblebine &
Gligor[1] show attacks on protocols which encrypt the concatenation of a
packet and a CRC-32 using DES-CBC. The properties of the MAC, encrypted
or not, do appear to matter.
I think, though, that the "parallelization-friendliness" of the result
is much more interesting than being able to encrypt and MAC at the same
time.
- Nikita
[1] "On Message Security in Cryptographic Protocols", IEEE Symposium on
Security & Privacy, Oakland 1992.
