Discussion:
RC4 Based MAC / Pointers ?
(too old to reply)
m***@ieee.org
2004-08-16 07:02:33 UTC
Permalink
Dear sci.crypt.research,

I designed a simple Message Autentication Code from the RC4 Stream
Ciper. I'd like to know if (even if the proceeding is
straightforeward) the MAC can be considered as reasonably secure.

MAC creation is as follows:
- Assume a private shared key
- Assume we have a plaintext is a multiple of 1024 bytes (yes, that
big)
- Create the ciphertext from the plaintext using RC4.
- Divide the ciphertext in 1024 byte blocks and XOR these
- Finally, you obtain a 1024 byte block "MAC"

... for me that sounds OK (as long as RC4 is OK), please tell me if
you think otherwise. If I get that right, you could create virtually
any size of MAC with that, can you?

best regards
Matthias


[ Editor's note: Alas, the scheme you describe is not secure.
An attacker can replace the message transmitted with any other
message whose blocks XOR to the same thing, and the change will
go undetected by the recipient -- a security failure. Stick to
SHA1-HMAC, AES-OMAC, or some other standard MAC. --DW ]
Michael Amling
2004-08-18 09:20:58 UTC
Permalink
Post by m***@ieee.org
Dear sci.crypt.research,
I designed a simple Message Autentication Code from the RC4 Stream
Ciper. I'd like to know if (even if the proceeding is
straightforeward) the MAC can be considered as reasonably secure.
- Assume a private shared key
- Assume we have a plaintext is a multiple of 1024 bytes (yes, that
big)
- Create the ciphertext from the plaintext using RC4.
- Divide the ciphertext in 1024 byte blocks and XOR these
- Finally, you obtain a 1024 byte block "MAC"
Since the RC4 ciphertext is just the plaintext XORed with a
keystream, the difference between MACs of different plaintexts is just
the XOR of the differences in the plaintexts.
Give the MAC of one plaintext, it is trivial to find the MAC of any
plaintext.
Post by m***@ieee.org
... for me that sounds OK (as long as RC4 is OK), please tell me if
you think otherwise. If I get that right, you could create virtually
any size of MAC with that, can you?
best regards
Matthias
[ Editor's note: Alas, the scheme you describe is not secure.
An attacker can replace the message transmitted with any other
message whose blocks XOR to the same thing, and the change will
go undetected by the recipient -- a security failure. Stick to
SHA1-HMAC, AES-OMAC, or some other standard MAC. --DW ]
Hmm. I see our trusty moderator has reached the same conclusion. I
really should read an entire post before replying to it.

--Mike Amling

Loading...