Re: Dynamic change of encryption keys



Joseph Ashwood wrote:

"Mok-Kong Shen" wrote:
Joseph Ashwood wrote:
"Mok-Kong Shen" wrote:
It seems intuitively clear that it may be beneficial to limit the
volume of materials encrpyted with the same key in encryptions.

Yes it does, in fact this has been standard for many years. So much so that the latest problem in SSL/TLS is in the change over.

If my layman's understanding is not wrong, attacks of the genre of the
recent attempt on AES ... could be 'practically' well defended through appropriate dynamic
change of encryption keys. Such attacks are all scientifically genious
and very sophisticated, but it seems interesting to note that counter
measures could on the other hand be rather simple and primitive, though
at some -- in many practical cases tolerable in my view -- cost (there
is no free lunch, of course).

In some ways, yes. You seem to have missed the more important part of the statement. While key rollover certainly limits the text available to mount an attack, instead the weak point can very easily become rollover phase. That is why I specifically brought up the SSL/TLS attack, the weakness has nothing to do with exceeding the acceptable limits of security for the cipher, but the rollover itself had weaknesses. So while properly used rollovers do prevent some types of attack, they also open up additional vectors for attack and as such "simple and primitive" methods of performing the rollover will themselves form weaknesses.

I must admit my poor knowledge (I am a layman) in having apparently
not correctly understood what you meant. Did you mean that, if one
uses a sequence of keys K_i (i=0,1,....), there may be correlations
between these that could be exploited, since they are generated by
a PRNG? But firstly, the analyst has to first of all recover a number
of these keys, before he could exploit that (which means that his work
is multiplied by that factor). Secondly, to recover each one key he
has only one single pair of plaintext and ciphertext to work on
(assuming he is in this favourable situation) instead of the fairly
large number of pairs commonly assumed by the various attacks (which
means that his chance of success is almost negligible). Thirdly, the
PRNG used could be one that is rather hard to predict (cf. my recent
thread "Rendering prediction of congruential random number generators
hard"). But, as said, I might have gravely misunderstood you, in which
case please be kind enough to explain your points in terms easier for
me to capture.

Thanks,

M. K. Shen

.



Relevant Pages

  • Re: Dynamic change of encryption keys
    ... volume of materials encrpyted with the same key in encryptions. ... While key rollover certainly limits the text available to mount an attack, instead the weak point can very easily become rollover phase. ... That is why I specifically brought up the SSL/TLS attack, the weakness has nothing to do with exceeding the acceptable limits of security for the cipher, but the rollover itself had weaknesses. ...
    (sci.crypt)
  • Re: New crypto algorithm
    ... >> A slight modification of Phil's attack works with your extra byte added to ... > obviously weak hashing. ... I can't put a magnitude on the number of encryptions that would ... 1st bug in MS win2k source code found after 20 minutes: ...
    (sci.crypt)
  • To Mok-Kong Shen Re:Variable S-boxes
    ... Tom came up with a working general attack to the idea of variable S-boxes. ... encryptions. ... this case you would get the last 128 bit subkey and the subkey gives ...
    (sci.crypt)
  • Re: To Mok-Kong Shen Re:Variable S-boxes
    ... >Tom came up with a working general attack to the idea of variable S-boxes. ... >encryptions. ... >this case you would get the last 128 bit subkey and the subkey gives ... A randomly conditioned branching algorithm used with a "dynamic SSbox" ...
    (sci.crypt)
  • Re: To Mok-Kong Shen Re:Variable S-boxes
    ... sub key is used for whitening - note to self - ensure brain in gear before ... > Tom came up with a working general attack to the idea of variable S-boxes. ... > encryptions. ... > this case you would get the last 128 bit subkey and the subkey gives ...
    (sci.crypt)