[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Quick Mode and resistance to related-key cryptanalysis

Hilarie Orman wrote:
> What?  In the generic sense, of course you shouldn't be able to relate
> keys.  Is there a specific definition of "related key cryptanalysis"?
> Hilarie
Yes, I recall early on a discussion about simple transformations
  of existing keys in Quick Mode exchanges, it is exactly those
  simple, predictable key changes, that makes related-key
  cryptanalysis work.  Granted, for many algorithms, related-key
  cryptanalysis is not particularly feasible, but for others, it's
  a concern.

I'm not questioning that IKE Quick Mode *does* have the
  resistance property, only asking about whether it was
  a motivation.  Just a curiosity thing.

Related-key cryptanalysis relies on being able to either effect
  or predict a particular key-change (without actually knowing the
  keys), and using known or chosen plaintext, recover significant
  quantities of key bits.

Suppose only that you knew that:

   K' = K+1

without actually knowing what the keys are.  For certain algorithms,
  you can determine key bits using known or chosen plaintext, in
  concert with related-key "queries".  Wagner/Schneier have a good
  paper on related-key cryptanalysis of various algorithms, including
  CAST, RC2, Biham-DES, and several others.

Marcus Leech                             Mail:   Dept 8M70, MS 012, FITZ
Systems Security Architect               Phone: (ESN) 393-9145  +1 613
763 9145
Security and Internet Solutions          Fax:   (ESN) 395-1407  +1 613
765 1407
Nortel Technology              mleech@nortel.ca
-----------------Expressed opinions are my own, not my employer's------