[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Keyless Integrity Check Values
IPSECers:
I have been traveling a great deal, so I let this issue drop. But I want
to revisit the discussion. The last e-mail I recall on the topic was from
Paul Lambert, and Paul was voicing support for keyless ICVs (a.k.a. keyless
checksums). Before that, Hugo posted a message about attacks on keyless
ICVs. Hugo described the following chosen message attack:
- Construct a message M = M1 | CS1 | M2, where CS1 is the
keyless checksum on M1, and M1 and M2 are arbitrary. The
length of M1 | CS1 should be an integral number of blocks.
- Give M to the party that's encrypting and authenticating,
to obtain C = E (M | CS2), where CS2 is the checksum on M,
and E is the encryption function.
- In typical modes of encryption, it will be the case that
that C = C1 | C2, where C1 = E (M1 | CS1) --- so C1 is a
valid message as far as authentication is concerned
- Replace C1 with C on the transmission line -- the recipient
will accept C1 as authentic
I discussed Hugo's attack with Burt Kaliski, and Burt came to the following
conclusion:
This [attack] works for any kind of checksum, and although
it can be thwarted by including the total message length at
the beginning of the message, it's an attack cryptographers
would like to avoid entirely.
Given that we are interested in protecting IP datagrams as well as TCP and
UDP protocol data units, we should revisit the keyless ICV discussion
because these protocol formats all include payload data lengths.
Russ