Re: Thoughts on CBC from Joseph Ashwood on 2001-06-15 (xml-encryption@w3.org from June 2001)

From: Joseph Ashwood <jashwood@arcot.com>
Date: Fri, 15 Jun 2001 13:54:29 -0700
To: "Wheeler, David M AZ" <david.m.az.wheeler@intel.com>, <xml-encryption@w3c.org>
Message-ID: <000001c0f5de$91815150$2a0210ac@livermore>
Actually I was referring to using the birthday paradox and some rudimentary
knowledge of the language being transferred to treat it as a language. It's
not a common type of attack, and in fact requires an absolutely absurd
amount of memory to perform. But that's just superfluous information. But if
you do have the permutation table (your idea) all security is lost.

It really depends on who you talk to as to what the chaining mode should
accomplish (I'm working on changing this but it's going to take years). One
of the primary reasons is to make the storage of the accessible permutation
table impossible. Another common one is to make it more difficult for an
attacker to link 2 identical (or even unrelated) plaintexts. A third is to
diffuse the entropy of each block to other blocks. And yet a fourth is to
block various attacks. Take whichever interpretation you want, they really
are equivalent.

With CBC you can also insert rather arbitrarily as long as you're willing to
accpt a 2 block garbage penalty (one at the beginning, one at the end) so
there's more intricate involvement than most simple statements can make. My
attack comparison is just the very beginning of some very interesting
developments I'm working on for chaining modes.
                        Joe

----- Original Message -----
From: "Wheeler, David M AZ" <david.m.az.wheeler@intel.com>
To: "'Joseph Ashwood'" <jashwood@arcot.com>; <xml-encryption@w3c.org>
Sent: Friday, June 15, 2001 12:50 PM
Subject: RE: Thoughts on CBC


> Joe,
> This is interesting - I'd like to think on this a bit. However, you are
> disregarding the ability to insert ciphertext or modify ciphertext
> blocks
> within a message. This is one of the other primary reasons (IMHO) that
> one
> would use CBC in the first place. If I understand you correctly, the
> fact that
> I do not have the key is mute. If I have all 2^49 plaintext-ciphertext
> pairs,
> all I have to do is implement a lookup system, and then I can change the
>
> encrypted stream to be anything I want. Since ECB doesn't tie one block
> to
> another, I can easily substitute or insert. Agree?
> You pose an interesting perspective on ECB/CBC and I'll want to ponder
> it
> a bit 8^)
> Regards,
> Dave Wheeler
> LEGAL DSCLAIMER: The views and opinions expressed are solely my own and
> do not necessarily reflect the views or opinions of Intel Corp.
>
> -----Original Message-----
> From: Joseph Ashwood [mailto:jashwood@arcot.com]
> Sent: Friday, June 15, 2001 12:16 PM
> To: xml-encryption@w3c.org
> Subject: Thoughts on CBC
>
>
> I've been considering for a while now what evidence I could give to
> prove
> that under certain circumstances CBC is less secure under an attack type
> than ECB. I have finally found one, it should have been obvious from the
> beginning to me but it took this long.
>
> The example should be fairly familiar to everyone here; encrypting XML
> with
> 3DES is weaker under a key recovery attack when using CBC than it is
> with
> ECB. To prove this you need to know that the key recovery attacks on
> 3DES
> take knowledge of > 2^56 known pairs. With XML we only have 67 basic
> symbols
> that are likely to be present (the base-64 encoding characters and
> <,>,/)
> outside of that the probability is exceedingly low. This means that the
> 64-bit block of 3DES can only contain 67^8, that number is less than
> 2^49,
> which is significantly lower than the needed 2^56, the attack cannot be
> mounted against XML/3DES/ECB.
>
> However moving to CBC, the actual number of input blocks that can be
> encrypted rise to 2^64. With 2^64 possible texts the attack can be
> mounted.
>
> This is one situation where ECB is actually more secure under an attack
> than
> CBC. It should not be too much of a worry because the attack takes 2^90
> work, but it is an example of where extremely careful selection of the
> chaining mode can actually offer a slight improvement in some form of
> security.
>
> The counter-argument is that it will only take 2^49 texts to begin a
> language based attack on XML/3DES/ECB, where it will take 2^64 texts to
> begin the same attack on XML/3DES/CBC. This argument only applies where
> the
> information is more important than the key. This may or may not be the
> case.
>
> Like my other extremely recent posting this should not change our
> decisions
> just present an argument for maintaining a tendancy towards diversity.
>                         Joe
>
>
Received on Friday, 15 June 2001 17:03:22 UTC