- From: Joseph Ashwood <jashwood@arcot.com>
- Date: Fri, 15 Jun 2001 12:15:41 -0700
- To: <xml-encryption@w3c.org>
I've been considering for a while now what evidence I could give to prove
that under certain circumstances CBC is less secure under an attack type
than ECB. I have finally found one, it should have been obvious from the
beginning to me but it took this long.
The example should be fairly familiar to everyone here; encrypting XML with
3DES is weaker under a key recovery attack when using CBC than it is with
ECB. To prove this you need to know that the key recovery attacks on 3DES
take knowledge of > 2^56 known pairs. With XML we only have 67 basic symbols
that are likely to be present (the base-64 encoding characters and <,>,/)
outside of that the probability is exceedingly low. This means that the
64-bit block of 3DES can only contain 67^8, that number is less than 2^49,
which is significantly lower than the needed 2^56, the attack cannot be
mounted against XML/3DES/ECB.
However moving to CBC, the actual number of input blocks that can be
encrypted rise to 2^64. With 2^64 possible texts the attack can be mounted.
This is one situation where ECB is actually more secure under an attack than
CBC. It should not be too much of a worry because the attack takes 2^90
work, but it is an example of where extremely careful selection of the
chaining mode can actually offer a slight improvement in some form of
security.
The counter-argument is that it will only take 2^49 texts to begin a
language based attack on XML/3DES/ECB, where it will take 2^64 texts to
begin the same attack on XML/3DES/CBC. This argument only applies where the
information is more important than the key. This may or may not be the case.
Like my other extremely recent posting this should not change our decisions
just present an argument for maintaining a tendancy towards diversity.
Joe
Received on Friday, 15 June 2001 15:25:12 UTC