From: daw@mozart.cs.berkeley.edu (David Wagner)
Newsgroups: sci.crypt
Subject: Re: checksum with length constraints
Date: Wed, 4 Sep 2002 22:24:49 +0000 (UTC)
Message-ID: <al617h$26u1$1@agate.berkeley.edu>

Cryptoguy1 wrote:
>   I read Wagner et al's paper on 'Intercepting Mobile
>communications'. That attack exploited the distribution property of
>CRC checksums,i.e.,
>   c(M) XOR c(x) = c(M XOR x)
>
> My assumption was that a similar attack would not be possible if I
>used SHA-1... am I missing something here?

Yes, you're missing something here.  If you append an unkeyed SHA-1
checksum, then encrypt with a stream cipher (say, RC4, or AES-CTR),
there are other attacks.  Note:
   if c = (m || H(m)) xor z
   and c' = c xor ((m xor m') || (H(m) xor H(m'))),
   then c' decrypts to m' with a valid checksum.
This leads to a simple known-plaintext attack on message integrity.
known plaintext.