What are the security risks, if I use a hash function $H$ such that $Y=H(K||M||N)$ where $K$ is a secret key, $M$ is a message, $N$ is a nonce and $||$ is concatenation operation (where the length of $K||M||N$ is fix and is less than or equal to block size of the hash $H$)?
Asked
Active
Viewed 78 times
1 Answers
1
In general, the construction $H(K||M||N)$ where $H, Y, N$ are known to an attacker is arguably no more secure than $H(K||M)$, which we already know to be broken. For that latter construction, we can easily forge a MAC of the form $K||M||PADDING||Z$ for some message $Z$.
This same attack would apply to the construction proposed in the question, except the forgery would be of the form $K||M||N||PADDING||Z||N$. This attack is feasible on many currently used hash functions, however, is not feasible on the new SHA-3.
mikeazo
- 39,117
- 9
- 118
- 183