Assuming the following HMAC is used : HMACK(M) = Hash(K||M) = H which is \"secre

Question

Assuming the following HMAC is used : HMACK(M) = Hash(K||M) = H which is "secret-prefix" hashed function. M is the plaintext message , K is the secret key used

The ciphertext is generated as follow : Ciphertext = EK(M||H) where EK is a encryption scheme which uses the secret Key K.

I have read on Wikipedia that a length extension attacks works on hashes where the secret key length and message is known. In this case as I have encrypted the message , I would like to confirm that it is no longer possible to conduct a length extension attack as M is unknown because I have encrypted it.

I am also like to know if the above scheme used to authenticate messages is susceptible to any other attacks ??

Explanation / Answer

This does several things wrong. First, as Rory mentions in the comments, Don't Roll Your Own. Use HMAC, not an arbitrary hash function. This will actually protect you against length extension attacks.

Second, you propose to encrypt your pseudo-MAC along with the message. Don't do this either. This is called MAC-then-encrypt, and it leaves you potentially susceptible to attacks on the padding like the POODLE attack that just killed SSLv3. The current standard is encrypt-then-MAC, and you need to include both the IV and the ciphertext of the message in the MAC to ensure that there can be no tampering.

So, you can either encrypt-then-MAC with HMAC, or better yet, just use an authenticated encryption mode that handles the implementation for you, like AES-GCM, and you don't have to worry about whether you've done it securely or not, because someone else has already handled those details for you.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.