<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: cipe-l,AT,inka,DOT,de
Subject: Re: Simple steps to improve CIPE security
From: Allan Latham <alatham,AT,flexsys-group,DOT,com>
Date: Wed, 1 Oct 2003 11:36:17 +0200
In-reply-to: <20031001080249.GA6230@gw.silicide.dk>
References: <000401c387eb$9234bd20$d620a8c0@pcw_hans.hnsasd.priv> <200310010945.49258.alatham@flexsys-group.com> <20031001080249.GA6230@gw.silicide.dk>

Hi all

If an attacker breaks a dynamic key he can with 100% certainty obtain the 
key by decrypting the next KX if this is done with the current dynamic key.

At best he can reconstruct some part of the previous KX (the one that 
negotiated the key he broke). This indeed provides more known plaintext with 
which to attack the static key used for the KX. Given the small volume of 
material involved in KX - even over a reasonable time period - a known 
plaintext attack is not going to be easy. Correct me if I'm wrong but there 
is no such published attacks on Blowfish.

On the one hand we have the natural caution of anyone involved in 
to avoid 1) encrypting too much material with the same key and 2) exposing 
too much known plaintext. On the other hand we know for sure that the 
breaking of just one dynamic key leads to the ability to read ALL subsequent 
traffic (until the static key is used).

I therefore vote for using the only static key for KX and for KX alone.

Best regards


On Wednesday 01 October 2003 10:02, jon+cipe,AT,silicide,DOT,dk wrote:
> On Wed, Oct 01, 2003 at 09:45:49AM +0200, Allan Latham wrote:
> > Hi all
> >
> > 1. I am considering alternatives to MD5.
> >
> > 2. Almost all packets are encrypted with the dynamic key. Those that fail
> > CRC are subject to an extra decryption with the static key. In normal
> > circumstances this is no great problem. The risk is that it increases the
> > effectiveness of a DOS attack. (Sending garbage to CIPE would make it
> > consume twice as much CPU).
> >
> > I did not make it clear. The intention is to use the static key only for
> > KX and the dynamic key only for data. This means that if an attacker
> > breaks a dynamic key he cannot then use this to decrypt the KX and get
> > the next dynamic key. Avoiding using the static key for data minimises
> > its use and
> Is this a good idea?
> Suppose that an attacker gets an encrypted KX, after that he gets the
> dynamic key, now he has known plaintext, and isnt it then easier to
> find the static key?
> JonB

<< | Thread Index | >> ]    [ << | Date Index | >> ]