[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: change in isakmp/oakley



	 
	 Dave Wagner (thanks Dave!) has pointed out to me the relevance of 
	 related-key attacks (see his paper with Kelsey and Schneier in Crypto'
	96) 
	 to the scenario that we are discussing in isakmp/oakley.
	 In common use of block-ciphers for encryption many of these attacks 
	 are impractical since they can easily be avoided by a reasonable choic
	e of keys.
	 However, when part of the key might have been chosen by the attacker
	 the story is a very different one. That's the story that we need to so
	lve
	 here. As Dave notices some of these attacks (in particular for 3DES)
	 become applicable here.

Maybe I'm missing something, but in this case the attacker is the other
party to the conversation -- who by definition will know the full key.
Unless your attack endangers the long-term public key, I fail to see
its relevance.