Re[2]: (Fwd) Authentication and encryption.

["Housley, Russ" <housley@spyrus.com>]

James P. Hughes said:
> If the encryption is strong and the probability of garbage passing the 
> integrity check is low enough (2^-64 or less), then the knowledge of the 
> shared secret should be authentication of the source. If one can prove 
> that to create a valid integrity check one must calculate it against the 
> data in the clear and prove that the attacker must know the key. If you 
> know only the sender (and you) know the key, then authentication is proven. 
> Why would this not be acceptable for general traffic authentication 
> when the traffic is already being encrypted?

Of course, this is correct.  The tricky part is, as you say, "if 
the encryption is strong and the probability of garbage passing the 
integrity check is low enough."  Xerox did some work in this area that 
resuted in a little known DES mode - Cipher Block Chaining with Checksum 
(CBCC).  At the expense of one additional XOR per 64-bit data block, a sum 
of the ciphertext data blocks is kept.  Then, this sum is used in the 
encryption (and decryption) of the final data block.  CBCC ensures that 
changes made to any ciphertext block impact the decrypted output of the 
last block.  If the last block contains an integrity check (like a CRC) or 
a constant, then integrity can be checked with very little additional 
overhead.  Certainly much less overhead than MD5, epsecially if a constant 
is used.

Russ

---

Follow-Ups:

• Re[2]: (Fwd) Authentication and encryption.
• From: Clifford Neuman <bcn@ISI.EDU>

---

• Prev by Date: Re[2]: IVs, summary of discussion
• Next by Date: Re: (Fwd) Authentication and encryption.
• Prev by thread: Re[2]: IVs, summary of discussion
• Next by thread: Re[2]: (Fwd) Authentication and encryption.
• Index(es):
  • Main
  • Thread