W3C home > Mailing lists > Public > ietf-tls@w3.org > April to June 1996

Re: Missing requirements

From: Charles Watt <watt@sware.com>
Date: Thu, 23 May 1996 16:38:14 -0400 (EDT)
Message-Id: <9605232038.AA07380@mordred.sware.com>
To: bsy@cs.ucsd.edu
Cc: watt@sware.com, ietf-tls@w3.org
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822

> I was speaking of using the channel ciphers from SSL / PCT as is.
> Certainly you can just update the IV (and unlink the packets) for
> block ciphers.
> Reusing a key for a stream cipher opens you up to a very simple
> cryptanalytic attack, *not* differential attacks.  A differential
> attack relies on gathering statistics from injecting related pairs of
> plaintext blocks for a *block* cipher and examining the resultant pair
> of ciphertext.  It requires the ability to mount a (nonadaptive)
> chosen plaintext attack, and the goal is to extract enough information
> to determine the key used.  See Biham & Shamir's nice book on
> differential cryptanalysis.
> What you're referring to is the simple fact that the reuse of a stream
> key results in the same cipher output stream being xor'd into multiple
> plaintext streams to product ciphertext streams.  Thus, the xor of a
> pair of those ciphertext streams result in the cancelling of the
> cipher output stream and would get you the xor of two plaintext
> streams, which would presumably have relatively low entropy and can be
> easily analyzed.  No need to determine the key.

This does not work against a stream cipher that incorporates feedback of the 
resulting ciphertext into the key stream.  Such ciphers are vulnerable if 
you reuse the key, but require much more sophisticated techniques to break.
Arguing whether such techniques classify as differential cryptanalysis is 
at best nitpicking.

> > Unless the networking textbooks have been rewritten recently, UDP is a 
> > transport layer protocol.  There is no extra complexity required of a
> > transport layer security protocol to support UDP, provided that you have 
> > designed the protocol properly in the first place.
> Transport layer protocols as defined in the ISO OSI reference model
> provide reliable virtual channels out of the network layer, which
> provides unreliable datagrams.  UDP in the TCP/IP world is simply IP
> datagrams with very little extra proessing.  UDP packets may be lost,
> reordered, or duplicated, just like the IP packets.
> I guess we must have read different textbooks.

To quote ISO 8072, the Transport Service Definition, connectionless mode
transmission occurs "without any requirement to maintain any logical
relationship among multiple transport-service-data-units".  Sounds like
UDP to me.  To which ISO model were you referring?

Regardless, if there is no extra complexity associated with making the
protocol appropriate for UDP, what are your objections to doing so?
Nitpicking about terminology that isn't even relevant to the topic of
discussion is an annoying waste of time.

Charles Watt
SecureWare, Inc.

Received on Thursday, 23 May 1996 16:40:16 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:01:58 UTC