From: daw@mozart.cs.berkeley.edu (David Wagner)
Newsgroups: sci.crypt
Subject: Re: checksum with length constraints
Date: Wed, 4 Sep 2002 22:24:49 +0000 (UTC)
Message-ID:
Cryptoguy1 wrote:
> I read Wagner et al's paper on 'Intercepting Mobile
>communications'. That attack exploited the distribution property of
>CRC checksums,i.e.,
> c(M) XOR c(x) = c(M XOR x)
>
> My assumption was that a similar attack would not be possible if I
>used SHA-1... am I missing something here?
Yes, you're missing something here. If you append an unkeyed SHA-1
checksum, then encrypt with a stream cipher (say, RC4, or AES-CTR),
there are other attacks. Note:
if c = (m || H(m)) xor z
and c' = c xor ((m xor m') || (H(m) xor H(m'))),
then c' decrypts to m' with a valid checksum.
This leads to a simple known-plaintext attack on message integrity.
known plaintext.