[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cryptography
Subject:    Re: On living with the 56-bit key length restriction
From:       Cicero <cicero () redneck ! efga ! org>
Date:       1998-12-24 4:30:20
[Download RAW message or body]

Antonomasia <ant@notatla.demon.co.uk> wrote:
>
>Jim Gillogly <jim@acm.org>
>
>> If you use a good modern cipher for each step of the 30-bit cascade and
>> include no identifying information in each step, there should be no
>> other shortcut.  "Good" for this purpose means it produces a distribution
>> of bytes indistinguishable from uniform random to someone who doesn't
>> know the key.
>
>Does this mean that padding the final block is out and ciphertext
>stealing is in ?

Or you can use either CFB or OFB, neither of which has any padding at
the end.  OFB needs salt; prepending a random or pseudo-random IV to
the message, and hashing the pass phrase with it will prevent key
repetition.  The only requirement on the salt is uniqueness.  CFB
requires either unique session keys, or else unique IVs.  Failure to
do so will put the initial block (8 bytes) of plaintext at risk.  But
unique IVs are not that hard to construct; some encryption utilities
use time(), PGP uses randseed.bin (as it does for the session keys).

Cicero

[prev in list] [next in list] [prev in thread] [next in thread]