In symmetric key settings, in order to provide the message integrity, we compute the hash of the message. The message along with the message digest is then encrypted. Is it necessary to encrypt the hash of the message? Can't we send the encrypted message along with the unencrypted message digest?
-
2You shouldn't hash the message, you should MAC the message. – CodesInChaos Sep 26 '14 at 16:02
3 Answers
"Is is necessary to encrypt the message digest?" and
"Is it necessary to encrypt the hash of the message?"
Yes, since otherwise:
An eavesdropper could determine, with overwhelming accuracy, which pairs of [core ciphertext + hash] pairs are for the same message. (The following three sentences wouldn't apply if you used a MAC instead of a hash.) An eavesdropper could test any guess at the message on their own. If you use CTR mode, then an adversary who knows the plaintext could modify a [core ciphertext + hash] pair to yield any plaintext of their choice. If there is a secure encryption scheme, then there is one for which your
approach would allow an adversary to generate [core ciphertext + hash] pairs that will decrypt
to arbitrary plaintexts even without having seen any legitimate [core ciphertext + hash] pairs.
"Can't we send the encrypted message along with the unencrypted message digest?"
You could "send the encrypted message along with the unencrypted message digest";
however, that would be even less secure than what you're doing.
Your approach is not secure.
See Authenticated Encryption vs. contained and encrypted checksum/hash?
and Should we MAC-then-encrypt or encrypt-then-MAC?.
-
1I agree with you. But note that if you are using CTR and the attacker knows the plaintext and you are using a hash instead of a HMAC, he can still modify the ciphertext fixing the hash. – Ángel Sep 26 '14 at 16:49
-
@Ricky How can eavesdropper test any guess at the message on their own? I didn't understand this part. – Curious Sep 27 '14 at 14:32
-
@Curious: An eavesdropper could hash their guesses and check whether or not the hashes match. – Sep 27 '14 at 15:34
No, It is not necessary to encrypt digest, as you can still validate the integrity of the message. if we decrypt the message and then calculate the hash and match with the unencrypted received hash and if it matches then the message is not forged
if someone intercepts and changes the message it wont decrypt to the original message and if someone changes the hash it wont match with the calculated hash at receiver end.
Anyways Hash is very small so we can encrypt it as well.
- 117
- 1
- 13
-
With the exception of new encryption modes that are not yet super-widely used, if the message ciphertext is modified, it will still decrypt. It'll just decrypt to an unpredictable value for the affected part of the message. Being able to compare to the hash is what lest you know the message changed. – atk Sep 26 '14 at 11:37
I would definitely encrypt the digest. If somebody sniffs your messages he would be able to guess many infos about them:
He can precompute digests for common phrases like "start the war!" and so "decrypt" them no-line.
In the future, he can prove a message was sent or not sent.
He can recognise a message was sent repeatedly.
A basic cryptography rule is, the sniffer should see just random-like data, unable to guess anything about them.
I would recommend you to add salt to every message and compute digest from everything even the salt. If you are paranoid, then you can time to time send a random data to make the sniffer unable to recognise when and how much you communicate. Statistology would help you decide when and how much random data you should send to confuse him maximally. Also, you can add random amount of random data to the end of every message to confuse the sniffer guesses about the messages length.
- 875
- 6
- 12
-
You're right about those issues, but your advice is not good. What people should actually do is use a secure, existing authenticated encryption scheme as discussed in Ricky Demer's links (e.g. an AEAD like GCM, or encrypt-then-MAC with CBC and HMAC), not invent something new. – Matt Nordhoff Sep 26 '14 at 18:29
-
I gave just general advices and principles. It is nothing against anything. CBC is an enc. mode, HMAC is how to secure integrity/consistency... Have I written I wouldn't use it? IMO, the question has been why, not how. – smrt28 Sep 26 '14 at 19:12
-
@smrt28 Are you talking about replay attacks? Let me rephrase the question. To guarantee the integrity of the message being sent, is it necessary to encrypt the message digest? Let us assume that the time stamp is appended to the message and encrypted. – Curious Sep 27 '14 at 14:38
-
@Curious To guarantee the integrity of the message being sent, it is necessary to use a proven construction! The specific details of a bespoke, insecure scheme don't matter. – Matt Nordhoff Sep 27 '14 at 21:27
-
@Curious you create a security problem by sending an unencrypted digest. But yes, to ensure integrity it could be sufficient. – smrt28 Sep 28 '14 at 16:03
-
@Matt Nordhoff - the life seems to be so easy. Just always use a proven construction and everything would be super-pink. – smrt28 Sep 28 '14 at 16:09