RE: Integrity Checking Requirement was -> RE: HW Support and XML Enc ryption Requirements from Mike Wray on 2001-03-07 (xml-encryption@w3.org from March 2001)

From: Mike Wray <mjw@hplb.hpl.hp.com>
Date: Wed, 7 Mar 2001 18:16:10 GMT
To: Paul.Lambert@cosinecom.com
Cc: xml-encryption@w3.org
Message-Id: <200103071816.SAA28428@steptoe.hpl.hp.com>

>From Paul.Lambert@cosinecom.com Fri Mar  2 21:02:35 GMT 2001
>...
>I don't see strong opposition ... but there is confusion in the discussion
>on the differences between integrity checking, authentication and MACs.  
>
>Integrity check mechanisms are required to validate the success of the
>decryption process.  Without an integrity check, the random data (from
>decryption with the wrong key) would processed and would occasionally be
>parsed as "correct" data.
>
>The integrity check must be contained within the encryption transform.  The
>required strength of the integrity check depends on the encryption
>algorithm.  SHA-1, HMACs and MACs are likely overkill for this mechanism
>since we should be using "strong" encryption algorithms.   With a algorithm
>like AES-cbc, all that should be required is a simple checksum or perhaps
>even a known data field of sufficient length.  Even a known XML
>encapsulation might suffice ... 

Rather than confusion about the differences, there is disagreement
about the technology. However, there now seems to be agreement
that integrity checking of some form is required (modulo details).

You cannot really separate message integrity and message authentication.
An integrity check only shows that the message
has not been modified since whoever it was sent it.
Unless you know who sent the message that doesn't mean much.
Conversely, if you know who sent the message but not that it
was not modified in transit that doesn't mean much either.

>A message authentication code (MAC) is a keyed hash typically implemented
>with an encryption algorithm.  The MAC is usually used when the data can not
>be encrypted, but strong integrity checks are required.  MAC based
>authentication is based on knowledge of the originators key that has been
>used to create the MAC.  If the MAC is correct, only a peer with access to
>the MACs key could have send the information.
>
>The requirement for a MAC transform is a completely different debate from
>the need to support integrity checking of the decryption process.  I see no
>benefits of this mechanism that could not be provided by a digital
>signature.

There has been some discussion about what integrity checks work with
what ciphers. It is true that checksum it OK with some ciphers, but
it is not OK with all. That is why I proposed requiring MAC.
MAC is cheap to compute and works regardless of the cipher, even
if the cipher is null. I think that is easier for users to cope with.
MAC is the typical technology used in protocols, SSL/TLS for example.

MAC has the great advangage over digital signature of being much faster
to compute - that's a pretty compelling benefit to me.
It's also usable when digital signatures are not.

We need integrity protection - MAC provides it cheaply, works
regardless of cipher and is standard technology. Seems like a good
case to me!

Mike Wray (mjw@hpl.hp.co.uk)

Received on Wednesday, 7 March 2001 13:16:15 UTC