Securing Stream Ciphers (HMAC) - Computerphile 

I want to meet this man. I feel like I could hear him talking from hours and not get bored.

Dr. Pound! This guy could read me his shopping list and I would still watch it

....I honestly get the feeling that Dr. Pound is wildly more intelligent that we realize or he portrays and he always seems like he has to hold back just a bit so he doesn't inadvertently say too much. Like, there is a line that shouldn't be crossed with regard to explaining things and he is constantly dancing with that line and at times has to stop for a moment and think "Ok, right, where am I?....oh, right, ok we can go further" lol Anyone else get that?? Hes awesome man.

This bloke is a well-rounded pundit of computer science--vision, cryptography, algorithms, all the good stuff.

Absolutely love these computerphile videos. To the team: please do not stop making more videos!

Please sent Mike £100

HE'S BACK! ALL ABOARD THE TRAIN TO POUND TOWN...

The encryption related Computerphile videos are some of my favorite.

This video seemed to end without much of a conclusion...

make a 2 hour video with this guy, i could listen to him all day

Actual HMAC stuff starts at 4:00 Until then, he's pointing out flaws with substitution in a stream cipher.

This guy is my favorite!

Great video. I love Mike Pound - he is my favorite person on computerphile

Well, do not forget AES CBC is weird, it’s a block cipher, though because of the XOR chaining you can also do this there

Mike is implicitly asking us to send him £100

This is the most amazingly clear and concise explanation, thanks

I like the way how he comes to the topic, it's brilliant Mike!!!!

This guy is awesome. Make sure he keeps on making us videos!

just had an hmac nightmare, this came a bit too late

Is it wrong to feel kinda in love with him? I might have completed my studies if he were my teacher.

Love this series, but could you please cover Elliptic curve Cryptography? I feel like this channel explains everything the best, so it would be much appreciated.

I have an exam in computer security coming up soon. These videos are golden

I didn't even know HMACs existed until I came across them at work - it's good to know a bit more about them.

You're helping me so much studying for my Security+ exam!!!!

Someday you should do a video on AEAD, which is more modern than plain old Stream cipher.

Dr. Mike is the best! And this totally reminds me of the Office, especially with the personal interviewing and the random zooms and close-ups 😂 I also love the washing machine animation!!

Switching off is probably not what anyone has ever done that clicked on a Computerphile video, especially with Mike.😁

its said if you can explain something in simple words, you dont understand the concept. But you sir are just a marvel. Thanks alot.

The seccond method can actually be just as secure if it is guaranteed that none of the valid messages can be a simple concatenation of 2 or more other valid messages. The easiest way to guarantee it is just to always put a total message length block somewhere inside the protected message. This method is a little bit faster than the HMAC.

I feel like these videos always just scratch the surface and don't go in depth too often. I really would like to see some in depth content for the loyal subscribers!

Should have watched this video before my midterm...finally I feel like I know something. Thanks!

Well done ! really enjoyed your video.

these guys are legends

Thanks. Studying for CISSP. I just subscribed!

thanks a lot this helped me in studying hmac for my exams

thank you for that brilliant video!

Something implicit in the video: the key in a SC is the same length than the message. Fantastic expl. The guy is a genius

How are you able to explain topics so easily.Seriously, it seems like child's play when I understand things like this

I freaking love this dude. Why aint this guy my teacher.

I've really enjoyed these videos that are related to information and security! I was wondering though, could you guys could make some videos in the "Essentials" series that cover the basics of those topics?

So, the outerpad and innerpad are just arbitrary constants that are used to derive the two separate keys which are then used to hash the message authentication code?

Is this part of a series? He mentions the SHA video as if I'm supposed to have seen it before, but I can't find an official playlist with computer security related videos från computerphile.

Something I didn't understand. Around 5:00, after introducing the first "naive" solution to the problem of tampering the stream cipher - i.e. computing a hash - Dr. Mike rejects this immediately because the middle-man can easily tamper the message and then compute a hash. what I don't understand is how can he compute the hash of the unencrypted message? All he has is the encrypted message, and if the hash is of the un-encrypted, how can he compute this?

I have a big ask. It may take several videos but I should love to see a simple but complete differential cryptanalysis. And a set on linear cryptanalysis. We hear about it all the time but it means very little to most of us. There are many books on it but these are hard to follow, a video would be much easier and better. Thanks! If you do it I shall sent a much bigger 'thank you', capital letters and all!

What about video encryption is this stream cypher?

The captions on this aren''t great, any way for me to edit?

06:33 would adding length of message (excluding added length) in message prevent append attack?

what exactly stops us from doing h(m|k) as opposed to h(k|m)? we don't need to worry about resuming the internal state of the hash function because that would only allow us to append to the key, not the message

need more !!!

I like the videos that Dr. Pound does on cryptography and cryptoanalytics, but it would be nice if he could get into more of how the math works behind the concepts. Not just describe the variables.

could you hash the message and append the hash before encrypting it and then verifying i after decryption, or are there any security implications that make that a bad idea?

Thank you!

5:13 But why don't we encrypt the checksum too? In other words be append hash of the message right *before* we do the encryption

How do the sender and receiver get same key? Do they use key exchange protocols?

Why do I get the feel that this guy was a car mechanic in a previous life?

I like the void cube and ghost cube on the shelf. :D

Why we just hash before encrypt all together message and hash? we could not compute a new hash for the changed message since we would need to know the encryption key

If we insert the hash (k1|m) at the start of message itself won't it also solve the problem? May be it s not efficient to prepend than append but i think it'l also solve the problem, but i would like to know your opinion

Helps me study for CISSP, thanks!

YAY he finally solved the ghost cube

I've seen SHA512 being used as a hash function. Does it have the same flaws as SHA256?

This guy couldn't look any more mischievous if he wore a black henchman's mask befitting a 70s' Batman episode.

There is a guy named Please who pleases Mike. Anyways, what is special about CMAC and Poly1305?

There's no video about the length extension attack yet if i see right :(

You say hases aren't for disks, but I'm pretty sure full disk encryption needs to have something like that... I remember hmacs being mentioned in the WiiU external drive encryption scheme...

I think in the video, we were shown this as a non-working solution: encrypt(message)|hash(encrypt(message)) Why couldn't you do this: encrypt(message|hash(message))

Does anyone know, what's inner pad and outer pad which he mentions at 8:10?

Hash length extension attack video ?

Great video! Can you also do one talking about HMAC-before-encrypt vs encrypt-before-HMAC? encrypt(message)|hmac(key,encrypt(message)) vs encrypt(message|hmac(key,message))

From 6:10 to 6:42 I got completely lost. I didn't understand what you were talking about and also couldn't make out some words. Could somebody explain it to me or just point me to the video I missed to understand that?

Did i miss something or he never mention how we gonna send the shared secret key to the other person ?

0:53 Left upper corner, that ghost cube :D

I was just writing in the middle of writing an RFC6238 TOTP in C++ (because I can't find any that compile in Code::Blocks to run in cmd.exe. Obviously over on Linux its all just works.)

Gotta love the paper he uses with the sprocket holes. Who does that ?!?! LoL

so why not just use digital signatures? when would we use HMAC as oppsed to using signtures?

What software did you use to make this animation?

DONT QUIT THE VIDEO JUST YET 😂

*Sees doc pound* *EXTERMINES THAT LIKE BUTTON*

why not just append a salt and signature of the message+salt after that BEFORE applying the cipherstream? The attacker could change the message, but they're going to have a pretty hard time guessing what the salt is to compute the hash and even if they did they wouldn't be able to XOR it to the state the recipient expects.

Why not just do SHA2( msg | key ) and not SHA2( key | msg ) like this the malicious appends can only get SHA2( msg | key | malicious ) but the check will be made SHA2( msg | malicious | key) ?

Someone just flipping bits like that doesn't have the old message or the new message to compute the hashes from. Plus the hash itself is likely to be encrypted. Here, it comes down to how much power you think the attacker has. If he can read all your messages and correctly guess all your keys, you're sunk anyway because he can do whatever he wants.

The teaching is awesome and he explains greatly, but i can't help but to notice how every video seems like an episode from The Office

I'm a newbie, is hmac reversible?

Why not just append the key to the end of the message before taking the hash instead of prepending it to the beginning? Wouldn't that solve length-extension?

Wait a sec? So a Block cipher changes multiple bits? so if I changed a single letter/bit, in the message that in turn makes the entire message of letters before and after get altered also??? I know of alot of coding systems but as far as I'm aware I think everything usually is 1 to 1, example if we used Enigma 1 letter in 1 letter out sorta like a substitution! If we Transposition it then the same amount of letters move around, If we playfair it then we still end up with same count of letters, in fact I can't think of any 1 situation where 1 plaintext letter is fully responsible for keeping the entire rest of the message mathematically in tact The only thing I can think of is... if you Take 8 Letters that are 8 Bits long in Ascii and Put the rows of numbers 1 by 1 under until you get like 8x8 thus 64 bits but instead grouping all the 1st bits and making an Ascii character out of then then all the 2nd bits until all 8 is done then substitute that maybe along with a 1 time pad, then I can see how maybe by chance changing 1 Ascii can sometimes Affect many characters, unless I'm not seeing something here? So example lets say A=001 B=010 C=100 R=111and our word was Cab then 100, 001, 010 if stacked could be 100, 001, 010 which doesn't change anything but lets try BAR, 010, 001, 111 we get now, 001, 101, 011 now this is kinda neat because we have new numbers which might be mapped to a question mark or something if this was 8 bit ascii but then math to it could change it yet again. I can't 100% see how a single change normally can affect the outcome of how a message works, but I can see in my example how sometimes hit or miss it can affect the entire message! I will have to look at block ciphers to maybe understand, but for most part from my experience the bulk of codes/encryption almost always is the Plain Text being heavily altered with some steps where if you isolated any letter usually, you get the plaintext of that specific letter! Equally speaking if deleting a letter anywhere or changing a letter anywhere also usually doesn't disturb a message most times in all of it's entirety. However what I can say is... if it is possible where 1 Letter is the only way to crack the code if unchanged and all characters have that exact same property and must be One! Then yes that would be 100% valuable and secure as you can just take that and put that through 1 to 1 ciphers knowing there was a step involved that binds all of them together as a whole as one unit.

Doc Pound is my jam

It's David Brent!!!

So I guess the length extension video never came out sed.

The questions of the guy with the camera don't sound very clearly..

So... do you HMAC then encrypt or encrypt then HMAC? And for the love of Turing, please clean your screen. :)

Why doesnt this work?: encrypt(message hash(message))

CBC mode for block ciphers

You can see at 5:44 the spider bite in Tobey Maguire's hand

I've used you guys so often in my degree, can you guys start a Patreon so that myself and others can donate?

idk why but this reminds me of the office

But how would you share the key in secure way?

thanks

Psuedo?

What if instead of appending the key you prepend the key. It's secret so no one would know what the state would be after the key.

The animation got us all =)))