[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian audititing tool?

On Tue, Dec 26, 2000 at 09:27:53PM +0200, Pavel Minev Penev wrote:
> On Tue, Dec 26, 2000 at 05:27:07PM +0300, dginsburg@mail.ru wrote:
> > Of course plain md5 hashes are not very helpful. But we can keep MAC[1] for
> > binaries. Tampering with MAC database is useless.
> >
> > ...
> >
> > [1] Message Authentication Code. One of possible ways to compute MAC is
> > H(K,H(K,M)) where H is one-way hash function (MD5 or better SHA), K is key, M
> > is message (protected binary).
> Hey, I'm not very good at crypto; however, I was wondering what prevents the
> intruder from regenerating the MAC data-base (and what is the point of the
> double hashing you have stated as "H(K,H(K,M))"?).

The Book (Bruce Schneier, "Applied Cryptography"):

Alice concatenates K and M, and computes the one-way hash of concatenation:     H(K,M). This hash is the MAC. Since Bob knows K, he can reproduce Alice's
result. Mallory, who does not know K, can't.

This method works with MD-strengtheninig techniques, but has serious problems.  Malory can always add new blocks to the end of message and compute a valid MAC.
This attack can be thwarted if you put the message length at the beginning, but
Preneel is suspictios of this scheme. It is better to put the key at then end 
of message, H(M,K), but this has some problems as well.


The following constructions seem secure:
        H(K,p,M,K), where p pads K to full message block.

> Sorry if off-topic (though a nice critical note would be fine).
> And don't forget to be gay (at least on Christmas),
> -- 
> Pavel M. Penev
> --  
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


Reply to: