Re: Cryptography problem

From: Dean Hallman (deanh_at_sc.rr.com)
Date: 06/23/04 

Date: Wed, 23 Jun 2004 15:51:14 GMT

> This is known as the "known plaintext" problem, and modern
> cryptosystems are pretty much immune to it (since Kasisky's days it
> has been an axiom that the security of a system depends only on the
> key - even if the attacker knows the exact encryption algorithm and
> contents being sent).

Ahh.. Thanks. Being new to cryptography, this helps.

> BTW - why would you need to send the user
> name/password as part of the request?

Each request could be spaced minutes or even days apart.

>
> Replay attacks (reusing a request without knowing what it means): this
> is usually dealt with by adding random padding and
> timestamps/counters/unique tokens to the request. Modern systems would
> use something like a public key system to negotiate an ephemeral
> session key which is then used to encrypt the whole channel.

Yeah.. I had considered this problem as well. That's a bit further
down the road, but I'll investigate your suggestions when I reach this
point.

>
> That being said, crypto is HARD: you are very likely to get it wrong
> the first few times around. Your best bet: use HTTPS (OpenSSL is
> excellent) and have the whole channel encrypted. People put a lot of
> effort into developping the library and there really is no need to
> reinvent the wheel.

I had hoped I could use an off-the-shelf solution, but was unsure if the
"known plaintext" and "client in the wild" aspects of this problem would
go against their assumptions. I'll take a look at OpenSSL.

BTW, what about WS-Security? Do you think an implementation of this
XML-based standard would be adaptable to solve this problem? Or would
it be overkill?

Thanks,
Dean

Relevant Pages

  • Re: Cryptography problem
    ... > cryptosystems are pretty much immune to it (since Kasisky's days it ... > key - even if the attacker knows the exact encryption algorithm and ... Each request could be spaced minutes or even days apart. ... I'll take a look at OpenSSL. ...
    (comp.security.misc)
  • Re: RSA keys, encryption and PGP-like cryptosystems
    ... relationship between RSA keys and encryption keys in PGP-like cryptosystems? ... That's the way a lot of cryptosystems work. ... I first have to generate an RSA key for myself. ... commenting on the probablility of such an attack, ...
    (sci.crypt)
  • Re: Definition of Military / Government grade ciphers
    ... II cryptosystems may be used. ... cryptosystems employing FIPS 46-3 (the Digital Encryption Standard ... People who use the meaningless marketing term "military grade" seldom ... Forensic Software Countermeasures ...
    (sci.crypt)
  • Re: your assistance is requested
    ... do not use this program for encryption! ... I wouldn't necessarily trust it as an arbiter of randomness either. ... ME6 is the best cryptosystem out there. ... ME6> all other cryptosystems. ...
    (comp.compression)
  • Re: Encryption level vs Width of cryptographic key
    ... > Is it always the case that the level of encryption will be linear to ... function, not a linear one. ... almost always been vastly faster ways to crack ... cryptosystems, sometimes sub-linear in key ...
    (sci.crypt)