If an attacker breaks a dynamic key he can with 100% certainty obtain the
key by decrypting the next KX if this is done with the current dynamic key.
At best he can reconstruct some part of the previous KX (the one that
negotiated the key he broke). This indeed provides more known plaintext with
which to attack the static key used for the KX. Given the small volume of
material involved in KX - even over a reasonable time period - a known
plaintext attack is not going to be easy. Correct me if I'm wrong but there
is no such published attacks on Blowfish.
On the one hand we have the natural caution of anyone involved in
to avoid 1) encrypting too much material with the same key and 2) exposing
too much known plaintext. On the other hand we know for sure that the
breaking of just one dynamic key leads to the ability to read ALL subsequent
traffic (until the static key is used).
I therefore vote for using the only static key for KX and for KX alone.
On Wednesday 01 October 2003 10:02, jon+cipe,AT,silicide,DOT,dk wrote:
> On Wed, Oct 01, 2003 at 09:45:49AM +0200, Allan Latham wrote:
> > Hi all
> > 1. I am considering alternatives to MD5.
> > 2. Almost all packets are encrypted with the dynamic key. Those that fail
> > CRC are subject to an extra decryption with the static key. In normal
> > circumstances this is no great problem. The risk is that it increases the
> > effectiveness of a DOS attack. (Sending garbage to CIPE would make it
> > consume twice as much CPU).
> > I did not make it clear. The intention is to use the static key only for
> > KX and the dynamic key only for data. This means that if an attacker
> > breaks a dynamic key he cannot then use this to decrypt the KX and get
> > the next dynamic key. Avoiding using the static key for data minimises
> > its use and
> Is this a good idea?
> Suppose that an attacker gets an encrypted KX, after that he gets the
> dynamic key, now he has known plaintext, and isnt it then easier to
> find the static key?