Re: Countering chosen-plaintext attacks

From: Tom St Denis (tomstdenis_at_yahoo.com)
Date: 03/16/04 

Date: 15 Mar 2004 18:45:20 -0800

Mok-Kong Shen <mok-kong.shen@t-online.de> wrote in message news:<c354jd$tkp$05$1@news.t-online.com>...
> DES could also be said to resist that attack in the same
> sense, couldn't it? Anyway was AES designed with 'specific'
> features/considerations to resist chosen-plaintext attack?

Um AES is provably resistant to differential and linear attacks. It
also seems to resist saturation, truncated differential and various
other attacks.

So I'd say it was designed with that in mind.

> Could you provide concrete references to clearly substantiate
> that point?

The last 20 years of Eurocrypt, Asiacrypt and Crypto conferences.

> If you could answer the questions in my follow-up to
> Malley that decribed my scheme, then I would accept your
> critque above to it. Otherwise you are just producing
> wind in my view.

pot....kettle.....arrg...!

> If CBC doesn't protect against that attack but my chaining
> mode does, isn't that fine??

CBC mode isn't meant to provide anything but replay protection. If
you want to prevent active attacks use a MAC and don't replay session
keys.

> Integrity check is a byproduct of item (1) of my original
> post and could be considered in its evaluation. Item (2),
> on the contrary, doesn't provide that check, unfortunately.

Ok, then (1) is Auth+Enc modes like OCB or EAX.

> You still haven't provided explanations why you call the
> modes of operations 'protocols'.

A protocol is just a set procedure or rules. E.g. it's protocol to
wear a tie in a fancy-dancy restaurant. It's protocol for CBC to XOR
the previous ciphertext in the current plaintext, etc...

Tom

Relevant Pages

  • Re: Countering chosen-plaintext attacks
    ... I mean a cipher resistant to various attacks is ... The question is why don't people design more protocols resistant to ...
    (sci.crypt)
  • Re: Countering chosen-plaintext attacks
    ... > Um AES is provably resistant to differential and linear attacks. ... > CBC mode isn't meant to provide anything but replay protection. ... > A protocol is just a set procedure or rules. ...
    (sci.crypt)
  • Re: [fw-wiz] PCI DSS & Firewalls
    ... it should be resistant to all the known attacks ... So a pen test, that ... tries all the known attacks is completely worthless. ... At the end of the day, offensive security (scanning, pen-testing, auditing, ...
    (Firewall-Wizards)
  • Re: Countering chosen-plaintext attacks
    ... Um AES is provably resistant to differential and linear attacks. ... CBC mode isn't meant to provide anything but replay protection. ... A protocol is just a set procedure or rules. ...
    (sci.crypt)
  • Re: how to react on ssh attacks?
    ... > I recently checked my log files of my ssh service (so far as I ... these attacks will get more sophisticated as time goes on - the ... Protocol 2,1 line in /etc/ssh/sshd_config to say Protocol 2 and then ... Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org ...
    (Fedora)