[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
draft-ietf-ipsec-ah-md5-00.txt
Ref: Your note of Tue, 17 Jan 95 15:23:56 MST (attached)
>
> Oh, BTW... a CRC *is* a secure MAC if the polynomial and the MAC are
> unknown to an attacker. Given a few messages and MACs, it is easy to
> find the GCD, which is the polynomial, but without, it's guesswork.
> (This is from the folks who did the Strongbox secure loader at CMU -
> they needed a *fast* secure hash.)
> --
> -Colin
Colin,
This statement, even if true, may confuse people. As you said,
the MAC (and polynomial) needs to be *unknown* to an attacker to be secure;
and then this is irrelevant to the IPSEC scenario where one needs
to transmit its value.
MOREOVER, even if you encrypt under a perfect one-time pad the CRC value
before transmitting (i.e., perfect encryption) then this authentication is
*not* secure. To make it secure you must append a number of zeros to the
message as the length of CRC before doing the polynomial division (or another
equivalent shift operation). For details, see my paper "LFSR-based hashing and
authentication" in Crypto'94.
Hugo