NIST SP 800-57 Pt. 1 Rev. 4 Recommendation for
Key Management: General
effective in detecting random noise events, but they also detect the more systematic deliberate
attacks. Cryptographic hash functions, such as SHA-256, are designed to make every bit of the
hash value a complex, nonlinear function of every bit of the message text, and to make it
impractical to find two messages that hash to the same value. On average, it is necessary to
perform 2
128
SHA-256 hash operations to find two messages that hash to the same value, and it
is much harder to find another message whose SHA-256 hash is the same value as the hash of
any given message. Cryptographic message authentication code (MAC) algorithms employ
hash functions or symmetric encryption algorithms and keys to authenticate the source of a
message and to protect the integrity of a message (i.e., to detect errors). Digital signatures use
public-key algorithms and hash functions to provide both integrity and source-authentication
services. Compared to non-cryptographic integrity or source-authentication mechanisms, these
cryptographic services are usually computationally more expensive; this seems to be
unavoidable, since cryptographic protections must also resist deliberate attacks by
knowledgeable adversaries with substantial resources.
Cryptographic and non-cryptographic integrity-authentication mechanisms may be used
together. For example, consider the TLS protocol (see [SP800-52]). In TLS, a client and a
server can authenticate the identity of each other, establish a shared "master key" and transfer
encrypted payload data. Every step in the entire TLS protocol run is protected by cryptographic
integrity and source-authentication mechanisms, and the payload is usually encrypted. Like
most cryptographic protocols, TLS will, with a given probability, detect any attack or noise
event that alters any part of the protocol run. However, TLS has no error-recovery protocol. If
an error is detected, the protocol run is simply terminated. Starting a new TLS protocol run is
quite expensive. Therefore, TLS requires a “reliable” transport service, typically the Internet
Transport Control Protocol (TCP), to handle and recover from ordinary network-transmission
errors. TLS will detect errors caused by an attack or noise event, but has no mechanism to
recover from them. TCP will generally detect such errors on a packet-by-packet basis and
recover from them by retransmission of individual packets before delivering the data to TLS.
Both TLS and TCP have integrity-authentication mechanisms, but a sophisticated attacker
could easily fool the weaker non-cryptographic checksums of TCP. However, because of the
cryptographic integrity-authentication mechanism provided in TLS, the attack is thwarted.
There are some interactions between cryptographic and non-cryptographic integrity or error-
correction mechanisms that users and protocol designers must take into account. For example,
many encryption modes expand ciphertext errors: a single bit error in the ciphertext can change
an entire block or more of the resulting plaintext. If forward error correction is applied before
encryption, and errors are inserted in the ciphertext during transmission, the error expansion
during the decryption might “overwhelm” the error-correction mechanism, making the errors
uncorrectable. Therefore, it is preferable to apply the forward error-correction mechanism after
the encryption process. This will allow the correction of errors by the receiving entity’s system
before the ciphertext is decrypted, resulting in “correct” plaintext.
Interactions between cryptographic and non-cryptographic mechanisms can also result in
security vulnerabilities. One classic way this occurs is with protocols that use stream ciphers
49
49
Stream ciphers encrypt and decrypt one element (e.g., bit or byte) at a time. There are no approved algorithms
specifically designated as stream ciphers. However, some of the cryptographic modes defined in [SP 800-38
]
can be used with a symmetric block cipher algorithm, such as AES, to perform the function of a stream cipher.