RE: Integrity Checking Requirement was -> RE: HW Support and XML Encryption Requirements from Mike Wray on 2001-03-19 (xml-encryption@w3.org from March 2001)

From: Mike Wray <mjw@hplb.hpl.hp.com>
Date: Mon, 19 Mar 2001 11:35:36 GMT
To: Paul.Lambert@cosinecom.com, reagle@w3.org
Cc: xml-encryption@w3.org
Message-Id: <200103191135.LAA29540@steptoe.hpl.hp.com>

>Date: Thu, 15 Mar 2001 15:04:35 -0500
>From: "Joseph M. Reagle Jr." <reagle@w3.org>
>At 13:00 3/2/2001 -0800, Paul Lambert wrote:
>>Integrity check mechanisms are required to validate the success of the 
>>decryption process.  Without an integrity check, the random data (from 
>>decryption with the wrong key) would processed and would occasionally be 
>>parsed as "correct" data.
>
>Paul, thank you for this clarification on checksum versus MAC. People agreed 
>at the FTF that we should enable integrity checking [1] and it is now in the 
>requirements document [2].

Unfortunately what Paul says in not precisely correct.
Message integrity checks cannot be separated from sender
authentication. If the checksum is OK but you do not know
who sent the message you know nothing. Conversely if you
know who sent the message but don't check integrity you know nothing.

A simple checksum combined with a `suitable' cipher can be used for
these purposes, but in general a keyed integrity check (i.e. a MAC)
is required. Others have already pointed out the problems that can
arise when using an `unsuitable' cipher.
Given that, it makes sense to do what standard protocols do:
always use a MAC, never use a checksum. This is what SLS/TLS does for
example.

It really makes no sense to use checksums - they don't always work
and are not significantly cheaper to compute than MACs.
We should specify MAC for integrity check.

>[1] http://www.w3.org/Encryption/2001/Meetings/0301-Boston/minutes.html
>>4.2.7 Message authentication
>>We will do some integrity, such as a checksum, combined with the 
>>encryption; at least one encryption + checksum category will be included; 
>>AES with SHA1 and 3DES with SHA1; see earlier discussion on IV as part of 
>><CipherText>; encryption with an MDC
>[2] http://www.w3.org/Encryption/2001/03/07-xml-encryption-req.html
>>5. Security
>>2. As already stated, the specification should provide for the optional 
>>creation of a checksum over the data encrypted in the ciphertext. (This 
>>enables an application to verify the success of the decryption process 
>>instead of continuing to process data with the wrong key.) {List: Lambert, 
>>FTF1}

As pointed out above, this is not correct from a cryptography point of view.
Checksum does not always provide what is being claimed here.
For cyptographic robustness we must use MAC not checksum.
Specifically we should specify HMAC-SHA1.

Mike Wray (mjw@hpl.hp.co.uk)

Received on Monday, 19 March 2001 06:35:42 UTC