- From: Charles Watt <watt@sware.com>
- Date: Thu, 23 May 1996 16:38:14 -0400 (EDT)
- To: bsy@cs.ucsd.edu
- Cc: watt@sware.com, ietf-tls@w3.org
-----BEGIN PRIVACY-ENHANCED MESSAGE----- Proc-Type: 4,MIC-CLEAR Content-Domain: RFC822 Originator-Certificate: MIIBvzCCAWkCEFmOln6ip0w49CuyWr9vDVUwDQYJKoZIhvcNAQECBQAwWTELMAkG A1UEBhMCVVMxGDAWBgNVBAoTD1NlY3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2Vj dXJlV2FyZSBQQ0ExFzAVBgNVBAsTDkVuZ2luZWVyaW5nIENBMB4XDTk1MDUwODIw MjMzNVoXDTk3MDUwNzIwMjMzNVowcDELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD1Nl Y3VyZVdhcmUgSW5jLjEXMBUGA1UECxMOU2VjdXJlV2FyZSBQQ0ExFzAVBgNVBAsT DkVuZ2luZWVyaW5nIENBMRUwEwYDVQQDEwxDaGFybGVzIFdhdHQwWTAKBgRVCAEB AgICBANLADBIAkEM2ZSp7b6eqDqK5RbPFpd6DGSLjbpHOZU07pUcdgJXiduj9Ytf 1rsmf/adaplQr+X5FeoIdT/bVSv2MUi3gY0eFwIDAQABMA0GCSqGSIb3DQEBAgUA A0EApEjzeBjiSnGImJXgeY1K8HWSufpJ2DpLBF7DYqqIVAX9H7gmfOJhfeGEYVjK aTxjgASxqHhzkx7PkOnL4JrN+Q== MIC-Info: RSA-MD5,RSA, B5DRYcHzmtWQyt5M3j9RGos4bWCZFYFaQMdOcnq+3aNQrYfMt+coEoQgQqQ2ISks Npw8lxJmrPu8/xzwooA4syc= > I was speaking of using the channel ciphers from SSL / PCT as is. > Certainly you can just update the IV (and unlink the packets) for > block ciphers. > > Reusing a key for a stream cipher opens you up to a very simple > cryptanalytic attack, *not* differential attacks. A differential > attack relies on gathering statistics from injecting related pairs of > plaintext blocks for a *block* cipher and examining the resultant pair > of ciphertext. It requires the ability to mount a (nonadaptive) > chosen plaintext attack, and the goal is to extract enough information > to determine the key used. See Biham & Shamir's nice book on > differential cryptanalysis. > > What you're referring to is the simple fact that the reuse of a stream > key results in the same cipher output stream being xor'd into multiple > plaintext streams to product ciphertext streams. Thus, the xor of a > pair of those ciphertext streams result in the cancelling of the > cipher output stream and would get you the xor of two plaintext > streams, which would presumably have relatively low entropy and can be > easily analyzed. No need to determine the key. This does not work against a stream cipher that incorporates feedback of the resulting ciphertext into the key stream. Such ciphers are vulnerable if you reuse the key, but require much more sophisticated techniques to break. Arguing whether such techniques classify as differential cryptanalysis is at best nitpicking. > > Unless the networking textbooks have been rewritten recently, UDP is a > > transport layer protocol. There is no extra complexity required of a > > transport layer security protocol to support UDP, provided that you have > > designed the protocol properly in the first place. > > Transport layer protocols as defined in the ISO OSI reference model > provide reliable virtual channels out of the network layer, which > provides unreliable datagrams. UDP in the TCP/IP world is simply IP > datagrams with very little extra proessing. UDP packets may be lost, > reordered, or duplicated, just like the IP packets. > > I guess we must have read different textbooks. To quote ISO 8072, the Transport Service Definition, connectionless mode transmission occurs "without any requirement to maintain any logical relationship among multiple transport-service-data-units". Sounds like UDP to me. To which ISO model were you referring? Regardless, if there is no extra complexity associated with making the protocol appropriate for UDP, what are your objections to doing so? Nitpicking about terminology that isn't even relevant to the topic of discussion is an annoying waste of time. Charles Watt SecureWare, Inc. -----END PRIVACY-ENHANCED MESSAGE-----
Received on Thursday, 23 May 1996 16:40:16 UTC