[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: change in isakmp/oakley
Dave Wagner (thanks Dave!) has pointed out to me the relevance of
related-key attacks (see his paper with Kelsey and Schneier in Crypto'
96)
to the scenario that we are discussing in isakmp/oakley.
In common use of block-ciphers for encryption many of these attacks
are impractical since they can easily be avoided by a reasonable choic
e of keys.
However, when part of the key might have been chosen by the attacker
the story is a very different one. That's the story that we need to so
lve
here. As Dave notices some of these attacks (in particular for 3DES)
become applicable here.
Maybe I'm missing something, but in this case the attacker is the other
party to the conversation -- who by definition will know the full key.
Unless your attack endangers the long-term public key, I fail to see
its relevance.