[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Slicing and Dicing in new-esp

To: ho@earth.hpc.org, sommerfeld@apollo.hp.com
Subject: Re: Slicing and Dicing in new-esp
From: Ran Canetti <canetti@watson.ibm.com>
Date: Mon, 14 Apr 1997 16:51:13 -0400
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

Hilarie,

>BTW, it's not obvious to me that having encryption and integrity use
>the same key blob is so very awful.


I must strongly differ on that issue. As was pointed out several times
before, using the same keying material for two different purposes (or even
for the same purpose but with two different algorithms) can result 
in totally insecure systems, even if the individual components are secure.

A "quintessential" example is DES-CBC for encryption and DES-CBC-MAC 
for authentication. If you use the same key for both then your
authentication is useless: the MAC output will always be identical
to the last block of the ciphertext. Thus an attacker can
change the ciphertext at wish.

More generally, different algorithms may have weakenesses on different
parts of the key, in a way that makes the combination insecure.
For instance, assume the same key k is used for two imaginary algorithms 
A and B.  Algorithm A leaks the first half of its key, but is
still secure based on the second half. Algorithm B  leaks the second 
half of its key, but is still secure based on the first half. 
If, however, you use the same key for both A and B then the entire 
key is leaked and both algorithms become insecure...



Ran Canetti

Prev by Date: ESP with stream ciphers
Next by Date: Re: Slicing and Dicing in new-esp
Prev by thread: RE: Slicing and Dicing in new-esp
Next by thread: Re: Slicing and Dicing in new-esp
Index(es):
- Main
- Thread