Re: Encrypting session keys with ECB.



Fabrice wrote:
When encrypting session keys, when the keysize is longer than the
blocksize, does using CBC (or other chaining mode with no
authentication) increase security compared to ECB ?

I postulate than the chaining does not add anything because what is
being encrypted is a crypto key, and as such, indistinguishable from
random. The result from the ECB encryption is also indistinguishable
from random.

Does anybody agree or disagree ?

That case scares me. There are various situations, still roughly consistent with that description, that I know to be problematic. Suppose two tamper-proof crypto modules share a master key, and send 128-bit user keys in two 64-bit blocks. Eve has access to the external interface of a module, which lets her send and decrypt messages under the master, but she's not supposed to get any keys.

Eve sees Alice's encrypted user key, say (x',y'), corresponding to the the 128-bit key x|y. Eve fakes a ciphertext, with encrypted session key (x',x'), and from the module gets the corresponding plaintext, that is, she gets a plaintext/ciphertext pair where each half of the 128-bit is the 64-bit value x. Now with 2**64 work, she can brute-force (x,x). With another 2**64 she breaks y, and has cut her work to brute-force Alice's key from 2**128 to 2**65.

CBC with no authentication does not really help, but a "package transform" does.

For a real-world attack along these lines, see Bond and Clayton's compromise of IBM's CCA.

http://www.cl.cam.ac.uk/~rnc1/descrack/


--
--Bryan
.



Relevant Pages

  • NEOCLASSIC, An encryption scheme based largely on use of well-known classical crypto techniques
    ... A simple versatile encryption scheme (with authentication) based ... # Having during the years designed a small number of encryption algorithms, ... # Perform a pseudo-random transposition of the given plaintext characters. ... Find the index of that plaintext character in the alphabet. ...
    (comp.programming)
  • NEOCLASSIC (Version 1.2.1), An encryption scheme based largely on use of classical crypto techniques
    ... A simple dynamic encryption scheme (with authentication) based ... The system parameters are explained in a section that follows the ... # Having during the years designed a small number of encryption algorithms, ... # Perform a pseudo-random transposition of the given plaintext characters. ...
    (comp.security.misc)
  • Re: Encryption and authentication
    ... have encryption without authentication? ... it seems that encryption couldn't exist without authentication. ... and example is asymmetric key cryptography technology. ... http://www.garlic.com/~lynn/aadsm24.htm#7 Naked Payments IV - let's all go naked ...
    (comp.security.firewalls)
  • Re: Signatures and encryption headers
    ... breached when an attacker can modify the message received? ... But I see how the lack of authentication can cause the receiver to act ... not for the iv or other encryption ... A create a payload, S signs it with public key crypto (most likely ...
    (sci.crypt)
  • Re: Ciphers and their effect on the size of data
    ... We have a security-sensitive client that is wants common authentication between a J2EE environment and a "fat windows client". ... we'll also be facing 4/3 expansion of the payload after encryption. ... This password field will include a digital signature, or the digital signature will be in another XML element in that document. ...
    (sci.crypt)