Re[2]: (Fwd) Authentication and encryption.

[Clifford Neuman <bcn@ISI.EDU>]

   Date: Thu, 01 Sep 94 07:15:02 
   From: "Housley, Russ" <housley@spyrus.com>

   Of course, this is correct.  The tricky part is, as you say, "if 
   the encryption is strong and the probability of garbage passing the 
   integrity check is low enough."  Xerox did some work in this area that 
   resuted in a little known DES mode - Cipher Block Chaining with Checksum 
   (CBCC).  At the expense of one additional XOR per 64-bit data block, a sum 
   of the ciphertext data blocks is kept.  Then, this sum is used in the 
   encryption (and decryption) of the final data block.  CBCC ensures that 
   changes made to any ciphertext block impact the decrypted output of the 
   last block.  If the last block contains an integrity check (like a CRC) or 
   a constant, then integrity can be checked with very little additional 
   overhead.  Certainly much less overhead than MD5, epsecially if a constant 
   is used.

This sounds very similar to the PCBC mode that we used in version 4 of
Kerberos.  Of course, our PCBC mode had the unfortunate property that
swapping two ciphertext blocks resulted in no change to subsequent
plaintext blocks.

	~ Cliff

---

References:

• Re[2]: (Fwd) Authentication and encryption.
• From: "Housley, Russ" <housley@spyrus.com>

---

• Prev by Date: Re: Motorola patent 5,245,614 on compression
• Next by Date: Re: IPSEC requirements
• Prev by thread: Re[2]: (Fwd) Authentication and encryption.
• Next by thread: Re: (Fwd) Authentication and encryption.
• Index(es):
  • Main
  • Thread