Re: IBM press release - encryption and authentication

[Nikita Borisov]

In article <010801c064d0$b64193a0$6000a8c0@em>,
Enzo Michelangeli <[EMAIL PROTECTED]> wrote:
>Apart from the parallelization-friendliness, wouldn't the same result be
>achieved by encrypting the concatenation of the plaintext with a MAC
>implemented through a fast error detection code (say, a sufficiently long
>CRC)? Due to the presence of encryption, the security properties of the
>inner MAC don't appear to really matter (as they would in the "DES-CBC
>first, then HMAC-MD5" scenario mentioned in the draft for comparison).

I may be misunderstanding what you are suggesting, but the construction
that uses an encrypted CRC as a MAC is insecure.  Eg. Stubblebine &
Gligor[1] show attacks on protocols which encrypt the concatenation of a
packet and a CRC-32 using DES-CBC.  The properties of the MAC, encrypted
or not, do appear to matter.

I think, though, that the "parallelization-friendliness" of the result
is much more interesting than being able to encrypt and MAC at the same
time.

- Nikita

[1] "On Message Security in Cryptographic Protocols", IEEE Symposium on
Security & Privacy, Oakland 1992.