Re: Encrypting session keys with ECB.

Fabrice wrote:
When encrypting session keys, when the keysize is longer than the
blocksize, does using CBC (or other chaining mode with no
authentication) increase security compared to ECB ?

I postulate than the chaining does not add anything because what is
being encrypted is a crypto key, and as such, indistinguishable from
random. The result from the ECB encryption is also indistinguishable
from random.

Does anybody agree or disagree ?

That case scares me. There are various situations, still roughly consistent with that description, that I know to be problematic. Suppose two tamper-proof crypto modules share a master key, and send 128-bit user keys in two 64-bit blocks. Eve has access to the external interface of a module, which lets her send and decrypt messages under the master, but she's not supposed to get any keys.

Eve sees Alice's encrypted user key, say (x',y'), corresponding to the the 128-bit key x|y. Eve fakes a ciphertext, with encrypted session key (x',x'), and from the module gets the corresponding plaintext, that is, she gets a plaintext/ciphertext pair where each half of the 128-bit is the 64-bit value x. Now with 2**64 work, she can brute-force (x,x). With another 2**64 she breaks y, and has cut her work to brute-force Alice's key from 2**128 to 2**65.

CBC with no authentication does not really help, but a "package transform" does.

For a real-world attack along these lines, see Bond and Clayton's compromise of IBM's CCA.