W3C home > Mailing lists > Public > ietf-tls@w3.org > April to June 1996

Re: Missing requirements

From: Charles Watt <watt@sware.com>
Date: Thu, 23 May 1996 16:38:14 -0400 (EDT)
Message-Id: <9605232038.AA07380@mordred.sware.com>
To: bsy@cs.ucsd.edu
Cc: watt@sware.com, ietf-tls@w3.org
-----BEGIN PRIVACY-ENHANCED MESSAGE-----
Proc-Type: 4,MIC-CLEAR
Content-Domain: RFC822
Originator-Certificate:
 MIIBvzCCAWkCEFmOln6ip0w49CuyWr9vDVUwDQYJKoZIhvcNAQECBQAwWTELMAkG
 A1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2Vj
 dXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMB4XDTk1MDUwODIw
 MjMzNVoXDTk3MDUwNzIwMjMzNVowcDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Nl
 Y3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsT
 DkVuZ2luZWVyaW5nIENBMRUwEwYDVQQDEwxDaGFybGVzIFdhdHQwWTAKBgRVCAEB
 AgICBANLADBIAkEM2ZSp7b6eqDqK5RbPFpd6DGSLjbpHOZU07pUcdgJXiduj9Ytf
 1rsmf/adaplQr+X5FeoIdT/bVSv2MUi3gY0eFwIDAQABMA0GCSqGSIb3DQEBAgUA
 A0EApEjzeBjiSnGImJXgeY1K8HWSufpJ2DpLBF7DYqqIVAX9H7gmfOJhfeGEYVjK
 aTxjgASxqHhzkx7PkOnL4JrN+Q==
MIC-Info: RSA-MD5,RSA,
 B5DRYcHzmtWQyt5M3j9RGos4bWCZFYFaQMdOcnq+3aNQrYfMt+coEoQgQqQ2ISks
 Npw8lxJmrPu8/xzwooA4syc=

> I was speaking of using the channel ciphers from SSL / PCT as is.
> Certainly you can just update the IV (and unlink the packets) for
> block ciphers.
> 
> Reusing a key for a stream cipher opens you up to a very simple
> cryptanalytic attack, *not* differential attacks.  A differential
> attack relies on gathering statistics from injecting related pairs of
> plaintext blocks for a *block* cipher and examining the resultant pair
> of ciphertext.  It requires the ability to mount a (nonadaptive)
> chosen plaintext attack, and the goal is to extract enough information
> to determine the key used.  See Biham & Shamir's nice book on
> differential cryptanalysis.
> 
> What you're referring to is the simple fact that the reuse of a stream
> key results in the same cipher output stream being xor'd into multiple
> plaintext streams to product ciphertext streams.  Thus, the xor of a
> pair of those ciphertext streams result in the cancelling of the
> cipher output stream and would get you the xor of two plaintext
> streams, which would presumably have relatively low entropy and can be
> easily analyzed.  No need to determine the key.

This does not work against a stream cipher that incorporates feedback of the 
resulting ciphertext into the key stream.  Such ciphers are vulnerable if 
you reuse the key, but require much more sophisticated techniques to break.
Arguing whether such techniques classify as differential cryptanalysis is 
at best nitpicking.

> > Unless the networking textbooks have been rewritten recently, UDP is a 
> > transport layer protocol.  There is no extra complexity required of a
> > transport layer security protocol to support UDP, provided that you have 
> > designed the protocol properly in the first place.
> 
> Transport layer protocols as defined in the ISO OSI reference model
> provide reliable virtual channels out of the network layer, which
> provides unreliable datagrams.  UDP in the TCP/IP world is simply IP
> datagrams with very little extra proessing.  UDP packets may be lost,
> reordered, or duplicated, just like the IP packets.
> 
> I guess we must have read different textbooks.

To quote ISO 8072, the Transport Service Definition, connectionless mode
transmission occurs "without any requirement to maintain any logical
relationship among multiple transport-service-data-units".  Sounds like
UDP to me.  To which ISO model were you referring?

Regardless, if there is no extra complexity associated with making the
protocol appropriate for UDP, what are your objections to doing so?
Nitpicking about terminology that isn't even relevant to the topic of
discussion is an annoying waste of time.

Charles Watt
SecureWare, Inc.

-----END PRIVACY-ENHANCED MESSAGE-----
Received on Thursday, 23 May 1996 16:40:16 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:34:49 EDT