Proof that CRCs are not secure

[Black_David@emc.com]

A while back, there was some interest in using a CRC
as a secure integrity checksum (e.g., by adding it
to IPSec).  This was rejected on principle as being
insecure.  I recently stumbled across a practical
demonstration of this insecurity.

The WEP protocol for 802.11b wireless security made
the mistake of using a CRC as their integrity checksum,
and as a result can be attacked by tampering with
data in flight - the fact that the data was tampered
with is undetectable even when everything is encrypted
because it's too easy to figure out which bits have
to be flipped in the CRC to hide the tampering.  This
is described in the fourth paragraph of the "Problems"
section at:

http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

<SECURITY-EXPERT-COMMENT>
Lest I get jumped on by the security experts, a
contributing factor to this WEP vulnerability is
the use of a stream cipher (RC4) rather than a
block cipher (e.g., DES, AES) - i.e., this simple
bit-flipping attack won't work against a good block
cipher, but such an approach requires confidentiality
(i.e., encryption) to obtain cryptographic integrity.
The usual design approach is to use something like
a keyed HMAC (cf. RFC 2104) to support cryptographic
integrity without requiring confidentiality.
</SECURITY-EXPERT-COMMENT>

This doesn't change anything the WG is currently doing -
there is no active proposal to use a CRC for cryptographic
integrity, and this does not affect the use of CRCs
in header digests, data digests, and the like.  This
is just an FYI based on past discussion of this topic.

Thanks,
--David

---------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 42 South St., Hopkinton, MA  01748
+1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
black_david@emc.com       Mobile: +1 (978) 394-7754
---------------------------------------------------