RE: Encrypted Communications and Predictable Communications?
From: Michael Silk (michaels_at_phg.com.au)
Date: 08/04/04
- Previous message: Adam Shostack: "Re: Encrypted Communications and Predictable Communications?"
- Maybe in reply to: Jonathan Leffler: "Encrypted Communications and Predictable Communications?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 4 Aug 2004 10:49:12 +1000 To: <Glenn_Everhart@bankone.com>, <jleffler@us.ibm.com>, <secprog@securityfocus.com>
Hi Glenn,
Regarding your comment on one-time-pad:
-------------------------------------
Consider a onetime pad.
In that case, the ciphertext can decrypt into any plaintext at
all, so there is no test to tell which one is right unless you
know some plaintext.
-------------------------------------
I don't see that knowing any plain-text of the encrypted
one-time-pad message would help you? How would it help? Perhaps I am
missing something...
If I sent a OTP message to Joe Blogs, addressing him in it:
"Hi Joe, the secret is ..."
And you know I always start my messages with "Hi Joe", how does
this help? It's still a guess on your part that I did, infact, start my
message with that string. And even if I did you do not get any more
information by assuming so...?
-- Michael
-----Original Message-----
From: Glenn_Everhart@bankone.com [mailto:Glenn_Everhart@bankone.com]
Sent: Wednesday, 4 August 2004 4:28 AM
To: jleffler@us.ibm.com; secprog@securityfocus.com
Subject: RE: Encrypted Communications and Predictable Communications?
If you have known ciphertext and known plaintext, you can run
every possible key and be able to tell when you get the right one.
You want to be sure your key is long enough that this is infeasible.
Note this is how DES was broken; the number of tests per second
that can be run is a function of technology.
There are more sophisticated attacks which might use known plaintext
so the above mentioned attack is kind of a best case for the cipher.
If you have no known plaintext, it can be impossible to know if
you have successfully decrypted a message. Consider a onetime pad.
In that case, the ciphertext can decrypt into any plaintext at
all, so there is no test to tell which one is right unless you
know some plaintext.
-----Original Message-----
From: Jonathan Leffler [mailto:jleffler@us.ibm.com]
Sent: Tuesday, August 03, 2004 1:26 PM
To: secprog@securityfocus.com
Subject: Encrypted Communications and Predictable Communications?
My understanding of cryptography in general is that it is easier to
determine the key for an encrypted message if you have (some) known
plain text that the encrypted message will probably contain. This might
provide you with the leverage to get the rest of the data - the unknown
part of
the message.
With program-to-program message streams encrypted using ... choose your
system - OpenSSL or TLS or ... where the programs have a known clear
text protocol, and (obviously) the encoding of the messages is known
(Kerchoff's Principle: the security is only in the keys), does the known
text provide sufficient leverage to allow a session to be cracked
offline (or, more precisely, how much known plain text would be
necessary to
provide that leverage)?
Concrete situation: consider a database system, with a client
application on one machine and a database server on another. In
general, clients can connect using either encrypted or unencrypted
communications, so it
reasonable to assume that the intruder can analyze the unencrypted
message exchanges and understand the structure of the messages sent back
and
forth. When the client connects and sets up an encrypted channel with
the server, it then communicates using a standard protocol with well
known
messages (and MAC to validate the messages). For example, there's a
handshake double-byte at the end of each message (0x000C) in either
direction of the unencrypted protocol; the initial message contains
other predictable information; other messages contain predictable
content -
particularly if you have access to the application itself; many messages
contain SQL statements, which are themselves stuffed full of easily
predictable text; and many of the messages are short, barely more than a
4-byte command sequence and a 2-byte handshake. Of course, the database
sessions are often protracted - many messages are exchanged using the
same key. Database sessions are inherently stateful, unlike simple HTTP
or
HTTPS exchanges.
Question: How much does the predictability of such message exchanges
degrade the security of an encryption system? Can anybody point to any
literature that analyzes this issue?
Should the encryption system take steps to ensure that the encrypted
data contains random information to pad out messages to at least the
minimum
block size for the encryption algorithm? Do systems like OpenSSL do
that anyway?
--
Jonathan Leffler (jleffler@us.ibm.com)
STSM, Informix Database Engineering, IBM Data Management
4100 Bohannon Drive, Menlo Park, CA 94025
Tel: +1 650-926-6921 Tie-Line: 630-6921
"I don't suffer from insanity; I enjoy every minute of it!"
PS: I am subscribed to the digest; I won't see responses until the
digest is sent unless you explicitly Cc me.
**********************************************************************
This transmission may contain information that is privileged,
confidential and/or exempt from disclosure under applicable law. If you
are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained
herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
received this transmission in error, please immediately contact the
sender and destroy the material in its entirety, whether in electronic
or hard copy format. Thank you
**********************************************************************
This email message and accompanying data may contain information that is confidential and/or subject to legal privilege. If you are not the intended recipient, you are notified that any use, dissemination, distribution or copying of this message or data is prohibited. If you have received this email message in error, please notify us immediately and erase all copies of this message and attachments.
This email is for your convenience only, you should not rely on any information contained herein for contractual or legal purposes. You should only rely on information and/or instructions in writing and on company letterhead signed by authorised persons.
- Previous message: Adam Shostack: "Re: Encrypted Communications and Predictable Communications?"
- Maybe in reply to: Jonathan Leffler: "Encrypted Communications and Predictable Communications?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
