This preview shows page 1. Sign up to view the full content.
Unformatted text preview: A keyed compression function is used to hash these blocks, under the control of a secret key, into a single block of 64 bits. This is the step that uses either DES or tripleDES. Finally, the output of this compression is subjected to another DESbased encryption with a different key, derived from the key used in the compression. See [1305] for details. IBCHash
IBCHash is another MAC adopted by the RIPE project [1305] (see Section 18.8). It is interesting because it is provably secure; the chance of successful attack can be quantified. Unfortunately, every message must be hashed with a different key. The chosen level of security puts constraints on the maximum message size that can be hashed—something no other function in this chapter does. Given these considerations, the RIPE report recommends that IBCHash be used only for long, infrequently sent messages. The heart of the function is hi = ((Mi mod p) + v ) mod 2n The secret key is the pair p and v, where p is an N bit prime and v is a random number less than 2n. The Mi values are derived by a carefully specified padding procedure. The probabilities of breaking both the onewayness and the collisionresistance can be quantified, and users can choose their security level by changing the parameters. OneWay Hash Function MAC
A oneway hash function can also be used as a MAC [1537]. Assume Alice and Bob share a key K, and Alice wants to send Bob a MAC for message M. Alice concatenates K and M, and computes the oneway hash of the concatenation: H (K,M ). This hash is the MAC. Since Bob knows K, he can reproduce Alice’s result. Mallory, who does not know K, can’t. This method works with MDstrengthening techniques, but has serious problems. Mallory can always add new blocks to the end of the message and compute a valid MAC. This attack can be thwarted if you put the message length at the beginning, but Preneel is suspicious of this scheme [1265]. It is better to put the key at the end of the message, H (M,K ), but this has some problems as...
View Full
Document
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details