[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-crypto
Subject:    Re: (AES) loopback crypto questions
From:       "Michael H. Warfield" <mhw () wittsend ! com>
Date:       2001-07-12 11:53:29
[Download RAW message or body]

On Thu, Jul 12, 2001 at 11:13:43AM +0100, Dale Amon wrote:

> First, I'm finding this one of the more interesting discussions
> that I've seen here, so in that spirit of friendly (and
> perhaps insufficiently knowledgeable) argument for the fun of it...

> Not to disagree too much, but I was assuming

> 	y = f(k1,f(k2,x)

> where k1 != k2 and f(k,x) is the same in both cases. I
> avoided  saying 

> 	y = f(k, g(k,x))

> because as you point out, you can define f and g as 
> inverses. I am also assuming symmetric keys.

> Most writers seem to be saying that reapplication of the
> same algorithm gains you 1b. I'm not sure I followed why
> any of the common ciphers would lose bits by applying
> them twice with different keys.

	Most of them don't lose bits but, if you have a known plaintext
situation, you have a condition for a "meet in the middle" attack where
you attack the crypto system from both ends, encrypting the plaintext
with K2 and decrypting with K1 searching for matching results in the
middle.  Bruce Schneier covers this attack in "Applied Cryptography"
in discussing 3-DES and why a double application of DES is not significantly
stronger than a single application.  With enough memory, you effectively
only gain one bit of strength (you double the difficulty of busting it)
over the single encryption.

	So your example of:

 	y = f(k1,f(k2,x))

	Where k1 and k2 are two independent keys of length (n).

	Is only roughly equivalent to:

	y = f(Ka,x)

	Where ka is a key of length (n+1), not (2*n).

> I accept that mainstream ciphers are fairly immune to
> a known plaintext attack; I do know there was some 
> discussion of this sort of attack against DES some
> years back that put banks at risk.

> Can you really say with confidence that if an attacker
> knows a few megabytes of content on your encrypted disk
> that they actually gain zero information about the
> encryption key? Is this mathematically provable?

	Say with confidence, I think so.  Mathematically provable,
possibly, possibly not.  Math involves assumptions.  As long as
products of large primes are unfactorable, RSA will remain
unbreakable.  Does that prove it's unbreakable?  (Maybe) What happens
if a miracle occurs and some new profound revolution in mathematics
takes place?  (Oppss)  Would I say with confidence that it's secure?
(Yes)  Could I be wrong?  (Stop snickering)

> I'm not even suggesting enough information to break the
> key, only whether the search space of possible values has
> been constrained in any way at all.

	That's what the cryptoanalysts are for...

> -- 
> ------------------------------------------------------
> Use Linux: A computer        Dale Amon, CEO/MD
> is a terrible thing          Village Networking Ltd
> to waste.                    Belfast, Northern Ireland
> ------------------------------------------------------

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


Linux-crypto:  cryptography in and on the Linux system
Archive:       http://mail.nl.linux.org/linux-crypto/

[prev in list] [next in list] [prev in thread] [next in thread]