Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
March, 2007<br />
is the same value as the hash of any given message. Cryptographic message authentication<br />
algorithms (MAC) employ hashes or symmetric encryption algorithms and a key to authenticate<br />
the source of a message, as well as protect its integrity (i.e., detect errors). Digital signatures use<br />
public key algorithms and hash algorithms to provide both authentication and integrity services.<br />
Compared to non-cryptographic integrity or authentication mechanisms, these cryptographic<br />
services are usually computationally more expensive; this seems to be unavoidable, since<br />
cryptographic protections must also resist deliberate attacks by knowledgeable adversaries with<br />
substantial resources.<br />
Cryptographic and non-cryptographic integrity mechanisms may be used together. For example,<br />
consider the TLS protocol (see <strong>Part</strong> 3). In TLS, a client and a server can authenticate each other,<br />
establish a shared "master key" and transfer encrypted payload data. Every step in the entire TLS<br />
protocol run is protected by strong cryptographic integrity and authentication mechanisms, and<br />
the payload is usually encrypted. Like most cryptographic protocols, TLS will detect any attack<br />
or noise event that alters any part of the protocol run with a given probability. However, TLS has<br />
no error recovery protocol. If an error is detected, the protocol run is simply terminated. Starting<br />
a new TLS protocol run is quite expensive. Therefore, TLS requires a "reliable" transport<br />
service, typically the Internet Transport Control Protocol (TCP), to handle and recover from<br />
ordinary network transmission errors. TLS will detect errors caused by an attack or noise event,<br />
but has no mechanism to recover from them. TCP will generally detect such errors on a packetby-packet<br />
basis and recover from them by retransmission of individual packets, before delivering<br />
the data to TLS. Both TLS and TCP have integrity mechanisms, but a sophisticated attacker<br />
could easily fool the weaker non-cryptographic checksums of TCP. However, because of the<br />
cryptographic integrity mechanism provided in TLS, the attack is thwarted.<br />
There are some interactions between cryptographic and non-cryptographic integrity or errorcorrection<br />
mechanisms that users and protocol designers must take into account. For example,<br />
many encryption modes expand ciphertext errors: a single bit error in the ciphertext can change<br />
an entire block or more of the resulting plaintext. If forward error correction is applied before<br />
encryption, and errors are inserted in the ciphertext during transmission, the error expansion<br />
during the decryption might "overwhelm" the error correction mechanism, making the errors<br />
uncorrectable. Therefore, it is preferable to apply the forward error correction mechanism after<br />
the encryption process. This will allow the correction of errors by the receiving entity’s system<br />
before the ciphertext is decrypted, resulting in “correct” plaintext.<br />
Interactions between cryptographic and non-cryptographic mechanisms can also result in<br />
security vulnerabilities. One classic way this occurs is with protocols that use stream ciphers 32<br />
with non-cryptographic checksums (e.g. CRC-32) and that acknowledge good packets. An<br />
attacker can copy the encrypted packet, selectively modify individual ciphertext bits, selectively<br />
change bits in the CRC, and then send the packet. Using the protocol’s acknowledgement<br />
mechanism, the attacker can determine when the CRC is correct, and therefore, determine certain<br />
bits of the underlying plaintext. At least one widely used wireless encryption protocol has been<br />
broken with such an attack.<br />
32 Stream ciphers encrypt and decrypt one element (e.g., bit or byte) at a time. There are no FIPS algorithms<br />
specifically designated as stream ciphers. However, some of the cryptographic modes defined in [SP 800-38] can<br />
be used with a symmetric block cipher algorithm, such as AES, to perform the function of a stream cipher.<br />
124