[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: change in isakmp/oakley

To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Subject: Re: change in isakmp/oakley
From: Daniel Harkins <dharkins@cisco.com>
Date: Sun, 05 Oct 1997 11:23:16 -0700
Cc: ipsec@tis.com, mcr@sandelman.ottawa.on.ca, daw@cs.berkeley.edu
In-Reply-To: Your message of "Sun, 05 Oct 1997 17:41:08 +0300." <199710051441.RAA14198@ee.technion.ac.il>
Sender: owner-ipsec@ex.tis.com

  Hugo,

  I might be missing something here but if you consider a participant
in the exchange an "attacker" then aren't all bets off? He can just
leak the key directly instead of choosing a "weak" component (like
one of the nonces) of a key. If I want a 3rd party to be able to decrypt
our conversation I'll probably just tell her the key instead of choosing
a weak key component to allow her to spend significantly less resources
cracking our key (but still have to spend a significant amount of resources).

  Dan.

> Dave Wagner (thanks Dave!) has pointed out to me the relevance of 
> related-key attacks (see his paper with Kelsey and Schneier in Crypto'96) 
> to the scenario that we are discussing in isakmp/oakley.
> In common use of block-ciphers for encryption many of these attacks 
> are impractical since they can easily be avoided by a reasonable choice of keys.
> However, when part of the key might have been chosen by the attacker
> the story is a very different one. That's the story that we need to solve
> here. As Dave notices some of these attacks (in particular for 3DES)
> become applicable here.
> 
> I can add a similar remark concerning weak keys. Recently there was a
> discussion as for whether one needs to check for weak keys in 3DES.
> Many pointed out that such a check is unnecessary since the probability 
> to pick such a key is negligible. They were right, since the assumption
> was that the party interested in the security chooses them at random. 
> But what about the attacker choosing part of the key?
> 
> As an example consider an extremely secure block cipher
> (or keyed hash for this ppurpose) that uses 256 bit keys,
> but it has a "negligible" set of weak keys: whenever the 128 
> right-most bits of the key are zeros the function becomes the 
> identity function. 
> Is this a problem?
> Usually not. For a randomly chosen key to fall in that set the probability 
> is 2^{-128}. 
> However, what if the first half is Ni and the second half is Nr?
> Clearly, the attacker can choose Nr=0!
> 
> Well, hope this adds some clarity to my previous sketchy arguments.
> Hope also that it convinces somebody to make the (small) 
> required change to the spec.
> 
> Hugo

References:

Re: change in isakmp/oakley

From: Hugo Krawczyk <hugo@ee.technion.ac.il>

Prev by Date: Re: change in isakmp/oakley
Next by Date: A little document editing nit....
Prev by thread: Re: change in isakmp/oakley
Next by thread: Re: change in isakmp/oakley
Index(es):
- Main
- Thread