Re: Dynamic change of encryption keys



Joseph Ashwood wrote:

"Mok-Kong Shen" wrote:
Joseph Ashwood wrote:
"Mok-Kong Shen" wrote:
It seems intuitively clear that it may be beneficial to limit the
volume of materials encrpyted with the same key in encryptions.

Yes it does, in fact this has been standard for many years. So much so that the latest problem in SSL/TLS is in the change over.

If my layman's understanding is not wrong, attacks of the genre of the
recent attempt on AES ... could be 'practically' well defended through appropriate dynamic
change of encryption keys. Such attacks are all scientifically genious
and very sophisticated, but it seems interesting to note that counter
measures could on the other hand be rather simple and primitive, though
at some -- in many practical cases tolerable in my view -- cost (there
is no free lunch, of course).

In some ways, yes. You seem to have missed the more important part of the statement. While key rollover certainly limits the text available to mount an attack, instead the weak point can very easily become rollover phase. That is why I specifically brought up the SSL/TLS attack, the weakness has nothing to do with exceeding the acceptable limits of security for the cipher, but the rollover itself had weaknesses. So while properly used rollovers do prevent some types of attack, they also open up additional vectors for attack and as such "simple and primitive" methods of performing the rollover will themselves form weaknesses.

I must admit my poor knowledge (I am a layman) in having apparently
not correctly understood what you meant. Did you mean that, if one
uses a sequence of keys K_i (i=0,1,....), there may be correlations
between these that could be exploited, since they are generated by
a PRNG? But firstly, the analyst has to first of all recover a number
of these keys, before he could exploit that (which means that his work
is multiplied by that factor). Secondly, to recover each one key he
has only one single pair of plaintext and ciphertext to work on
(assuming he is in this favourable situation) instead of the fairly
large number of pairs commonly assumed by the various attacks (which
means that his chance of success is almost negligible). Thirdly, the
PRNG used could be one that is rather hard to predict (cf. my recent
thread "Rendering prediction of congruential random number generators
hard"). But, as said, I might have gravely misunderstood you, in which
case please be kind enough to explain your points in terms easier for
me to capture.

Thanks,

M. K. Shen

.