[CST-2] Bit of Security, for a change

[Chris Applegate]

>
> On Sun, May 26, 2002 at 10:38:11AM +0100, Matej Pfajfar wrote:
> > > Quick security question, basically concerns 1998 paper 7
> question 9.
> > > Basically asks whether a digital signature on a 32bit MAC
> is more secure
> > > than a 128 bit Hash, and why.
> > I just got up so sorry if this is rubbish -
> > A MAC is cryptographically secure, whereas an ordinary hash is not.
> > You need to know the key to be able to generate/verify the MAC. =>
> > signatures are more difficult to forge/the sender can't
> plausibly deny
> > that he/she sent the message etc.
>
> The key lengths used really determine the comparative security of the
> MAC vs the ordinary hash. The ordinary hash will be susceptible to the
> birthday attack, so for the 128-bit hash it takes the attacker 2^64
> complexity to produce other 'interesting' messages that hash to the
> same value and can be used for evil deeds. The MAC will avoid this in
> that the attacker doesn't know the key for the MAC, but if the key
> length is short then the attacker can first, given enough data, do a
> brute-force attack on finding the key, then apply the birthday problem
> to this too, to find two messages that produce the same MAC, which
> will only be complexity 2^16!
>
> So if the key for the MAC is > 64-bit I'd say the MAC scheme is
> securer, if it is < 64-bit the hash scheme is securer.
>
> Of course there might be other more obvious attacks on either I've
> missed..

There's also other aspects that influence this answer.

The question states that the the MAC is generated using a
monthly-renewed symmetric key unique to the two banks. The MAC is then
signed with the sender's public key. The alternative is simply
calculating a hash, then signing that with the sender's public key.

The MAC is more secure in a worst-case scenario than the hash despite
the lower bit-length - assume the Bank A's public signing key has been
compromised/cracked by a distributed network, whatever. If a hash is
needed, all an imposter C with an account at bank B needs to do is hash
a message 'A pay C's account at B £1m' and signs it with A's key to gain
a million quid. With the monthly MACs, C needs to find out the key
between A and B for this as well - if the key is long enough (its length
can be anything - it has no bearing on the MAC length), then if it takes
more than a month to crack it the key is secure, as it will have changed
in the meantime and be useless when you try to forge a new message.

Of course, any unscrupulous member that does know the secret keys (e.g.
if B starts making fraudulent claims with the key it shares with A),
then this aspect of security breaks - which is probably what the final
part asking about third party monitoring is asking for.

I think. Corrections welcome...

Cheerio,

Chris
do something lastminute.work

Chris Applegate
Room X6, Corpus Christi College, Cambridge, CB2 1RH
chris@qwghlm.co.uk / www.qwghlm.co.uk / [Redacted by SRCF sysadmins on request]
ICQ 41706821          PGP key available on request