25

To build a secure system, can we assume that encryption guarantees integrity is true before starting a secure programming?

  • Both in symmetric and public-key encryption, is my question well-proofed ?
  • If no, what are the vulnerabilities, can you give an example?
berkay
  • 3,907
  • 4
  • 36
  • 51
  • 1
    What do you mean by integrity? Data integrity? – NullUserException Sep 07 '10 at 03:21
  • Question for the OP (or anyone else able to answer): what is meant here by "assume my question"? –  Dec 16 '17 at 17:47
  • @sampablokuper, fixed my writing. – berkay Dec 28 '17 at 21:01
  • @berkay, thanks, but it is still unclear. What do you mean by "assume that my question is true"? In the logics with which I am familiar, statements can be true (or false, or perhaps indeterminate), but questions do not have truth-values. –  Dec 29 '17 at 01:59

3 Answers3

30

No. This is easy to see if you consider the one-time pad, a simple (theoretically) perfectly secure system.

If you change any bit of the output, a bit of the clear text will change, and the recipient has no way to detect this.

This is an obvious case, but the same conclusion applies to most encryption systems. They only provide for confidentiality, not integrity.

Thus, you may want to add a digital signature. Interestingly, when using public key cryptography, it is not sufficient to sign then encrypt (SE), or to encrypt then sign (ES). Both of these are vulnerable to replay attacks. You have to either sign-encrypt-sign or encrypt-sign-encrypt to have a generally secure solution. This paper explains why in detail.

If you use SE, the recipient can decrypt the message, then re-encrypt it to a different recipient. This then deceives the new recipient about the sender's intended recipient.

If you use ES, an eavesdropper can remove the signature and add their own. Thus, even though they can't read the message, they can take credit for it, pretending to be the original sender.

Matthew Flaschen
  • 278,309
  • 50
  • 514
  • 539
  • what if i encrypt my message with my private key and send it ? how integrity property can be violated? – berkay Sep 07 '10 at 03:28
  • 2
    Encrypting with your private key is more commonly known as signing. This provides integrity, but not confidentiality. Everyone knows your public key, so they can "decrypt" (verify) the message. – Matthew Flaschen Sep 07 '10 at 03:31
  • it will be better to encrypt the hashed message will be faster and effective so this is signature, ok your assumption is no security hole for just integrity by encrypting with my private key. – berkay Sep 07 '10 at 03:33
  • 1
    it's inteeresting to note that AES offers an integrity enforcing mode. – atk Sep 07 '10 at 04:06
  • @atk yes all block ciphers do, it called cmac mode, which i posted about. – rook Sep 07 '10 at 19:32
  • @Rook I was under the impression that this mode was specific to AES - or perhaps was simply new. Do you have further details? – atk Sep 07 '10 at 20:34
  • @atk All block cipher modes of operation are universal. The point of a cryptographic primitive is that they can be interchangeable. http://en.wikipedia.org/wiki/CMAC – rook Sep 08 '10 at 16:01
11

In short the answer is no. Message Integrity and Secrecy are different, and require different tools.

Lets take a simple coin flip into consideration, and in this case we are betting on the results. The result is a simple bool and I encrypt it using a stream cipher like RC4 which yields 1 encrypted bit and I email it to you. You don't have the key, and I ask you to email me back the answer.

A few attacks can happen in this scenario.

1)An attacker could modify the bit in transit, if it was a 0 there is a 50% chance it will become a 1 and the contrary is true. This is because RC4 produces a prng stream that is XOR'ed with the plain text produce the cipher text, similar to a one time pad.

2)Another possibility is that I could provide you with a different key to make sure your answer is wrong. This is easy to brute force, I just just keep trying keys until I get the proper bit flip.

A solution is to use a block cipher is CMAC Mode. A CMAC is a message authentication code similar to an hmac but it uses a block cipher instead of a message digest function. The secret key (K) is the same key that you use to encrypt the message. This adds n+1 blocks to the cipher text. In my scenario this prevents both attacks 1 and 2. An attacker cannot flip a simple bit because the plain text is padded, even if the message only takes up 1 bit i must transmit a minimum of 1 block using a block cipher. The additional authentication block prevents me from chaining the key, and it also provides integrity from anyone attempting to modify the cipher text in transit (although this would be very difficult to do in practice, the additional layer of security is useful).

WPA2 uses AES-CMAC for these reasons.

rook
  • 66,304
  • 38
  • 162
  • 239
2

If data integrity is a specific concern to you, you should use a cryptographic hash function, combined with an an encryption algorithm.

But it really does come down to using the correct tool for the job. Some encryption algorithms may provide some level of checksum validation built-in, others may not.

Ash
  • 60,973
  • 31
  • 151
  • 169