crc inside block-mode = insecure (Re: [p2p-hackers] amicima's MFP - preannouncement)

[Adam Back]

Actually what you are doing if I understood (CRC? checksum inside
block cipher) is a known insecure construct.  SSH had a fairly major
bug filed on this when the issue was discovered and it was fixed.

Minimally you need a cryptographic checksum (SHA1 etc) inside the
block cipher.

But really I think you would just as well use HMAC-SHA1 as the extra
cost over SHA1 is small.

The simpler/safer way to add a MAC IMO is to put the MAC outside the
encryption.  Avoids issues such as Bleichenbacher's attack against
some implementations of openSSL working from the interaction of MAC
inside encryption and the padding mode.

Adam

On Tue, Jul 19, 2005 at 02:55:58PM -0700, Matthew Kaufman wrote:
> > In any case it is seen as a good practise to implement a MAC 
> > on top of encryption. In your case the CRC and message 
> > structure provides some probabilistic protection against 
> > tampered packets. This is not the case in all applications.