"Travis H." <[EMAIL PROTECTED]> writes: > So... > > Suppose I want a function to provide integrity and authentication, and > that is to be combined with a stream cipher (as is the plaintext). I > believe that authentication is free once I have integrity given the > fact that the hash value is superencrypted using the stream cipher, > whose key is shared by only the sender and recipient.
It's not safe to use a hash function this way if the content is known to the attacker. Consider the case where you're transmitting message M. The hash is H(M). You then encrypt (M || H(M)), generating K XOR (M || H(M)). If the attacker knows M and H, he can compute (M || H(M)) and compute K. Then he can re-encrypt a message M' of his choice. If you want integrity with a stream cipher you'd really be much better off using a MAC. -Ekr --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
