[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Quick Mode and resistance to related-key cryptanalysis
Hilarie Orman wrote:
>
> What? In the generic sense, of course you shouldn't be able to relate
> keys. Is there a specific definition of "related key cryptanalysis"?
>
> Hilarie
Yes, I recall early on a discussion about simple transformations
of existing keys in Quick Mode exchanges, it is exactly those
simple, predictable key changes, that makes related-key
cryptanalysis work. Granted, for many algorithms, related-key
cryptanalysis is not particularly feasible, but for others, it's
a concern.
I'm not questioning that IKE Quick Mode *does* have the
resistance property, only asking about whether it was
a motivation. Just a curiosity thing.
Related-key cryptanalysis relies on being able to either effect
or predict a particular key-change (without actually knowing the
keys), and using known or chosen plaintext, recover significant
quantities of key bits.
Suppose only that you knew that:
K' = K+1
without actually knowing what the keys are. For certain algorithms,
you can determine key bits using known or chosen plaintext, in
concert with related-key "queries". Wagner/Schneier have a good
paper on related-key cryptanalysis of various algorithms, including
CAST, RC2, Biham-DES, and several others.
--
----------------------------------------------------------------------
Marcus Leech Mail: Dept 8M70, MS 012, FITZ
Systems Security Architect Phone: (ESN) 393-9145 +1 613
763 9145
Security and Internet Solutions Fax: (ESN) 395-1407 +1 613
765 1407
Nortel Technology mleech@nortel.ca
-----------------Expressed opinions are my own, not my employer's------