In secure communication and storage applications, it is often desirable to protect both the secrecy and the integrity of information in order to ensure that neither unauthorized disclosure nor undetected modification occurs. For example, if the integrity of an electronic communication is protected, but not its secrecy, an attacker can intercept the communication and make free use of the information contained therein. Similarly, if the secrecy of a communication is protected, but not its integrity, an attacker can intercept the communication and alter it in a way that subverts the purpose of the communication. For example, if the communication consists of an encrypted software program, an attacker could intercept the ciphertext version of the program during transmission and modify it in a way that causes it to fail or to perform unwanted or malicious operations. Without a way to detect such modifications, the recipient (and the sender) will be unable to prevent execution of the corrupted program, and the recipient may attribute the faulty or malicious behavior of the program to poor workmanship or malicious intent on the part of the author or distributor. One of ordinary skill in the art will appreciate that there are other situations in which it is advantageous to preserve both the secrecy and the integrity of a communication.
Conventional techniques typically use two independent mechanisms to provide secrecy and authentication. For example, an encryption algorithm may be used to protect secrecy, and a separate cryptographic checksum or message authentication code may be used to detect modifications. A commonly employed solution is to use the Data Encryption Standard (DES) algorithm in Cipher Block Chaining (CBC) mode for secrecy protection, and a DES-CBC Message Authentication Code (MAC) to provide integrity protection or validation, using different cryptographic keys for each process to prevent straightforward attacks on the DES-CBC MAC.
FIGS. 1A and 1B illustrate this conventional approach. Referring to FIG. 1A, the sender of a message encrypts the plaintext form of the message 10 using encryption function 12. In addition, the sender generates a message authentication code (MAC) 16 by applying MAC function 18 to plaintext 10. The sender combines MAC 16 with ciphertext 14, and sends the result 15 to the recipient. As shown in FIG. 1B, upon receipt of message 15′ (i.e., message 15 after transmission), the recipient must first decrypt the ciphertext using decryption function 20. Decryption function 20 yields a plaintext representation of the message 22, which the recipient checks for authenticity by computing a MAC 24. MAC 24 is compared to MAC 16′ (i.e., the received version of MAC 16) attached to ciphertext message 15′. If MAC 24 is equal to MAC 16′, then the message is deemed to be valid.
This conventional approach has significant disadvantages, however, as it typically requires that two algorithms (i.e., one for secrecy and one for authentication) be implemented in the system, and that the protected data be processed twice. In addition, as FIGS. 1A and 1B illustrate, the conventional process requires that these two processing passes be performed by both the sender and the recipient. Moreover, even if the same basic algorithm is used for both functions, storage is still required for the runtime state of two instances of the algorithm, and twice the processing resources, as well as two different cryptographic keys in some implementations, are required to perform both functions.
A related approach is to use a cryptographic hash function, such as the Secure Hash Algorithm version 1 (i.e., SHA-1), to append a secure manipulation detection code (MDC) to the plaintext, and then to encrypt the plaintext and the MDC for secrecy protection using a block cipher such as DES. This approach is illustrated in FIGS. 2A and 2B, which show the operations performed at the message source and at the message destination, respectively. The techniques shown in FIGS. 2A and 2B are used in the Internet Protocol Security Extensions (IPSEC), and have a processing time advantage over the techniques shown in FIGS. 1A and 1B, since cryptographic hash functions are typically faster than block ciphers of similar strength. However, although this approach is faster, it can require more code space (or hardware), since it employs two distinct algorithms.
Various approaches have been suggested for eliminating the extra processing burden and the extra algorithmic cost associated with the techniques described above. For example, the error propagation properties of some modes of operation appear to provide a degree of integrity protection (validation). One such approach, Propagating Cipher Block Chaining (PCBC), was specifically designed to ensure that any manipulation of the ciphertext would damage all subsequent ciphertext. However, PCBC, like other attempts to achieve similar results, is vulnerable to relatively straightforward attacks. For example, with respect to PCBC, swapping two ciphertext blocks leaves the rest of the message unchanged.
Thus, there is a need for systems and methods that protect the secrecy and integrity of a message without consuming the time, memory, or processing resources associated with conventional approaches. In addition, there is a need for systems and methods that can provide these efficiencies without decreasing the level of security substantially below that which is offered by the conventional approaches.