Re: Combine Secure 3DES Encryption with ability to count occurence of known plaintext - how to accomodate both aims?

From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: 01/20/05 

Date: Wed, 19 Jan 2005 23:46:22 +0000 (UTC)

a c wrote:
>The problem I have is the limited capabilities of the HSP. It's designed for
>banking use and HMAC is not part of the capabilities -and we cannot access
>the secret keys either for use with our own application, only Ansi Key Block
>cryptograms which are used as input to encryption and MAC functions (eg:
>3DES CBC).

As Paul Rubin says, you can use 3DES-CBC-MAC instead of SHA1-HMAC.
(I slightly prefer 3DES-OMAC or AES-OMAC, but the difference is unimportant
if the messages you are hashing are of a constant, fixed length.)

>Looking at the response from David Wagner (thanks) this has the advantage
>that it uses standard (for our equipment) crypto operations, but we have to
>update old records (update the velocity checking data with fixed IV after a
>fixed period).

Yes. Most databases should allow you to do this, I would have thought.

>The other issue is the number of transactions processed within 48 hours -
>more than 100,000 which would mean at any one time there would be 100000
>records encrypted in this less than optimum manner.

Yes. At 20 bytes a record, that is 2 MB, not even a penny worth of disk.
At 100,000 encryptions per 2 days, that is 0.5 encryptions per second, which
any HSP should be able to handle trivially. Hard for me to imagine that this
would be a bottleneck, unless I'm missing something.

>i've search, but can't find, a description of A/B switchover. Could I have a
>pointer please.

I have two sets, set A and set B. At the start of odd-numbered days,
I delete everything from set A and re-set it to the empty state. At the
start of even-numbered days, I delete everything from set B and re-set
it to the empty state. When I have a transaction, I add a timestamped
record of that transaction to both set A and set B. At any point,
I can retrieve the transactions that have occurred within the past 24
hours by looking in one or the other of these sets (on odd-numbered days,
I look in set B; on even-numbered days, I look in set A).

In your application, set A would have a key kA and an IV ivA associated
with it; set B would have kB and ivB. When transaction T occurs, do this:
  add (T, E(kA, ivA, CC #), timestamp) to set A, and
  add (T, E(kB, ivB, CC #), timestamp) to set B.
When a set S is re-set, delete everything from S, securely delete kS and
ivS, and pick a new key and IV. To count the number of transactions
with a particular credit card number over the past 24 hours, pick the
appropriate set to look at, say set S, compute the value E(kS, ivS,
CC #), extract all records from set S that have this same ciphertext
value and have a timestamp within the past 24 hours, and count.

If you want to count over a 48-hour period, then just double the time
scale above.

Note: E(k, iv, x) could be a deterministic encryption algorithm, or it
could just be a keyed hash (a PRF) like SHA1-HMAC, 3DES-CBC-MAC, etc.
It doesn't really matter, as you never

Relevant Pages

  • Re: [Full-Disclosure] Time Expiry Alogorithm??
    ... > account for somehow incorporating a timestamp into ... > the encryption scheme to prevent 'legit' decryption after a certain time. ... sufficient to decrypt the message alone), give one part to the recipient, ... Not for ciphertexts already encrypted with shorter keys. ...
    (Full-Disclosure)
  • Re: Concurrency Help
    ... All you need to do to implement it is to add a TimeStamp ... only client/user X has rights ... Another approach is to use pessimistic locks. ... Then the operation is wrapped inside a transaction. ...
    (microsoft.public.dotnet.framework.adonet)
  • Invitation For Beta Test Volunteers
    ... Hi Michael, ... These guys specialize in application/network security. ... >Double-Pass Triple DES Encryption ... transaction. ...
    (microsoft.public.win2000.security)
  • Re: (not entirely...) OT: OPINION... chicken entrails, runic stones, and crystal balls... WAS CoBOL
    ... timestamp must be related to the time of data entry, ... of the transaction (i.e. Corrections to earlier incorrect entries may well ... > processes because the traditional batch operator was gone. ... you've just shown that designers can design functionality out of the ...
    (comp.lang.cobol)
  • Re: Beware: Timestamps are not contained inside Transactions!!
    ... table might be to get it within the scope of a trigger, ... create table stamp ... > Our databases have tables that use a Timestamp column for row-level> concurrency checking. ... > The steps we used to recreate/test this scenario follows:> 1 - A transaction is opened and a new record is inserted into table A> 2 - On a separate connection, another transaction is opened and a new record> is inserted into table B ...
    (microsoft.public.sqlserver.programming)