# Re: Dynamic change of encryption keys

*From*: Mok-Kong Shen <mok-kong.shen@xxxxxxxxxxx>*Date*: Thu, 19 Nov 2009 16:17:47 +0100

Joseph Ashwood wrote:

"Mok-Kong Shen" wrote:Joseph Ashwood wrote:"Mok-Kong Shen" wrote:It seems intuitively clear that it may be beneficial to limit the

volume of materials encrpyted with the same key in encryptions.

Yes it does, in fact this has been standard for many years. So much so that the latest problem in SSL/TLS is in the change over.

If my layman's understanding is not wrong, attacks of the genre of the

recent attempt on AES ... could be 'practically' well defended through appropriate dynamic

change of encryption keys. Such attacks are all scientifically genious

and very sophisticated, but it seems interesting to note that counter

measures could on the other hand be rather simple and primitive, though

at some -- in many practical cases tolerable in my view -- cost (there

is no free lunch, of course).

In some ways, yes. You seem to have missed the more important part of the statement. While key rollover certainly limits the text available to mount an attack, instead the weak point can very easily become rollover phase. That is why I specifically brought up the SSL/TLS attack, the weakness has nothing to do with exceeding the acceptable limits of security for the cipher, but the rollover itself had weaknesses. So while properly used rollovers do prevent some types of attack, they also open up additional vectors for attack and as such "simple and primitive" methods of performing the rollover will themselves form weaknesses.

I must admit my poor knowledge (I am a layman) in having apparently

not correctly understood what you meant. Did you mean that, if one

uses a sequence of keys K_i (i=0,1,....), there may be correlations

between these that could be exploited, since they are generated by

a PRNG? But firstly, the analyst has to first of all recover a number

of these keys, before he could exploit that (which means that his work

is multiplied by that factor). Secondly, to recover each one key he

has only one single pair of plaintext and ciphertext to work on

(assuming he is in this favourable situation) instead of the fairly

large number of pairs commonly assumed by the various attacks (which

means that his chance of success is almost negligible). Thirdly, the

PRNG used could be one that is rather hard to predict (cf. my recent

thread "Rendering prediction of congruential random number generators

hard"). But, as said, I might have gravely misunderstood you, in which

case please be kind enough to explain your points in terms easier for

me to capture.

Thanks,

M. K. Shen

.

**References**:**Dynamic change of encryption keys***From:*Mok-Kong Shen

**Re: Dynamic change of encryption keys***From:*Joseph Ashwood

**Re: Dynamic change of encryption keys***From:*Mok-Kong Shen

**Re: Dynamic change of encryption keys***From:*Joseph Ashwood

- Prev by Date:
**Re: inverting a hash function** - Next by Date:
**Combining stream and block encryption techniques** - Previous by thread:
**Re: Dynamic change of encryption keys** - Next by thread:
**Re: Base64 rocks!** - Index(es):