RE: Thoughts on CBC from Wheeler, David M AZ on 2001-06-15 (xml-encryption@w3.org from June 2001)

From: Wheeler, David M AZ <david.m.az.wheeler@intel.com>
Date: Fri, 15 Jun 2001 12:50:29 -0700
To: "'Joseph Ashwood'" <jashwood@arcot.com>, xml-encryption@w3c.org
Message-ID: <5D2136DF3DD5D311AE89009027C67FB0046773C0@fmsmsx96.fm.intel.com>

Joe,
This is interesting - I'd like to think on this a bit. However, you are
disregarding the ability to insert ciphertext or modify ciphertext
blocks
within a message. This is one of the other primary reasons (IMHO) that
one 
would use CBC in the first place. If I understand you correctly, the
fact that
I do not have the key is mute. If I have all 2^49 plaintext-ciphertext
pairs,
all I have to do is implement a lookup system, and then I can change the

encrypted stream to be anything I want. Since ECB doesn't tie one block
to
another, I can easily substitute or insert. Agree?
You pose an interesting perspective on ECB/CBC and I'll want to ponder
it
a bit 8^)
Regards,
Dave Wheeler
LEGAL DSCLAIMER: The views and opinions expressed are solely my own and 
do not necessarily reflect the views or opinions of Intel Corp.  

-----Original Message-----
From: Joseph Ashwood [mailto:jashwood@arcot.com]
Sent: Friday, June 15, 2001 12:16 PM
To: xml-encryption@w3c.org
Subject: Thoughts on CBC


I've been considering for a while now what evidence I could give to
prove
that under certain circumstances CBC is less secure under an attack type
than ECB. I have finally found one, it should have been obvious from the
beginning to me but it took this long.

The example should be fairly familiar to everyone here; encrypting XML
with
3DES is weaker under a key recovery attack when using CBC than it is
with
ECB. To prove this you need to know that the key recovery attacks on
3DES
take knowledge of > 2^56 known pairs. With XML we only have 67 basic
symbols
that are likely to be present (the base-64 encoding characters and
<,>,/)
outside of that the probability is exceedingly low. This means that the
64-bit block of 3DES can only contain 67^8, that number is less than
2^49,
which is significantly lower than the needed 2^56, the attack cannot be
mounted against XML/3DES/ECB.

However moving to CBC, the actual number of input blocks that can be
encrypted rise to 2^64. With 2^64 possible texts the attack can be
mounted.

This is one situation where ECB is actually more secure under an attack
than
CBC. It should not be too much of a worry because the attack takes 2^90
work, but it is an example of where extremely careful selection of the
chaining mode can actually offer a slight improvement in some form of
security.

The counter-argument is that it will only take 2^49 texts to begin a
language based attack on XML/3DES/ECB, where it will take 2^64 texts to
begin the same attack on XML/3DES/CBC. This argument only applies where
the
information is more important than the key. This may or may not be the
case.

Like my other extremely recent posting this should not change our
decisions
just present an argument for maintaining a tendancy towards diversity.
                        Joe

Received on Friday, 15 June 2001 15:50:42 UTC