Score:1

Remote Attestation: when to use Checksum and when to use a Cryptographic Hash function?

in flag

In computer security applications, to check the integrity of a specific data/program binary, a cryptographic hash function is normally deployed to generate a digest and compare it with a reference digest.

When a remote device proves the integrity of the code and data residing on the platform to a verifying party, it is called remote attestation.

Looking into different remote attestation schemes, I remarked that some of them use a checksum on the memory content to generate the attestation value. In contrast, others propose using a cryptographic hash function.

I personally was expecting that a cryptographic hash function is the goto function when integrity is demanded, especially when the system security is in goal.

"Software-based attestation schemes aim at proving the integrity of code and data residing on a platform to a verifying party." reference

An example of the most common software-based remote attestation scheme is SWATT, which conducts a checksum on the memory content in a pseud-random traversal.

What makes the use of the checksum more common than a cryptographic function for such a security mechanism?

kelalaka avatar
in flag
Being stupid or ignorant is free! however, what you quoted is PUF where the checksum only used against the noise/errors.
Lavender avatar
in flag
@kelalaka I used the citation just for the definition of the attestation schema which is in the abstract of the paper which can be read for free on the publisher's page. As for the PUF in that paper, it is used to link the attestation value with the hardware of the device so that the verifier knows it is coming from that specific device. But if you look into the attestation procedure, you will see that they are using the SWATT procedure which uses a checksum function. In the cited paper they are not using the PUF as a checksum.
kelalaka avatar
in flag
You are missing the contexts. The SWATT is applied to sensor network devices in 2004 where they have very limited device capabilities. The other one is in 2014 and claims to combine FPGA into the game. You should look at the age, the platform, the threats then one can talk about the CkeckSum vs Cryptographic Hash function. I simply say why not the Merkle Tree while it is around for more than 20 years!
Score:0
in flag

A checksum is mostly used to identify data corruption during transfer, there are many schemas for this that are better than Checksum for example ARQ. Hash functions are more computationally expensive and thus are less desirable when only attesting to errors during transfer. However, when you are actually considering security (eg. verifying data integrity) a hash function is right for the job.

Overall a combination of checksum (or some similar method) should be used for transmission errors while hashes should be used when there are concerns regarding security.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.