[2318] in cryptography@c2.net mail archive
RE: Rivest's Chaffing and Winnowing
daemon@ATHENA.MIT.EDU (Michael Paul Johnson)
Mon Mar 23 14:49:34 1998
Date: Mon, 23 Mar 1998 12:39:49 -0700
To: cryptography@c2.net
From: Michael Paul Johnson <mpj@ebible.org>
Viktor commented:
> It seems that (at least as described) the system does not support
>reuse of the secret (authentication) key, since (for a fixed key) the MAC
>depends only on the value and position of a single bit in the data stream.
>After a small number of messages one would discern the correct MAC for both
>the 0 and the 1 values at each bit offset.
True. This is easily fixed by adding salt to each packet, or for greater
efficiency, have the first legitimate packet(s) of the message set a random
IV to be used from then on.
> Since real encryption would be required to support per message key
>management, one should perturb the keyed MAC for each message sent to
>prevent this problem. Adding a non-recurring IV to the secret key may be an
>adequate solution.
Although Rivest's terminology is new, the idea of noise addition as an
encryption technique is not new. Rivest's technique of using authentication
codes to extract the message from the noise is rather novel and clever,
though. It is also clear that implemented carefully, this technique is
capable of maintaining the secrecy of communications or stored data to any
desired strength. The bandwidth efficiency is really bad, though, so its
only practical advantage over conventional secret key encryption is its
political and regulatory advantage. That advantage is not really clear,
although it certainly gives the appearance of bypassing the letter of the
law. It certainly does not bypass the spirit of the law, in that the "IE"
category is stated as being intended to restrict the export of software
that is capable of maintaining the secrecy of communications that might
affect "national security." In other words, if it helps "bad guys" to
communicate securely or store data that our spies can't read with a
reasonable amount of effort, we won't let you export it without some kind
of security breach built in so that we can catch the "bad guys." Therefore,
if you want to take advantage of this loophole in the law, you probably
have limited time. All it takes is a redefinition of "encryption software"
to shut the loophole tight. Sometimes we get fixated on the way things work
rather than what we do. A well implemented "chaffing and winnowing" system
is just a noise addition encryption system that excels at consuming
bandwidth. On the other hand, Ron's paper does bring to mind some practical
supplements to more conventional cryptography with respect to multiplexing
encrypted streams that could add another layer of complexity for attackers
without being too much of a bandwidth hog.
The greatest value of Ron's paper, of course, is in making the current
regulations look even sillier than they already looked.
Good job, Ron. :-)
--... ...-- -.. . -. --- ----- ....
Michael Paul Johnson mpj@ebible.org http://www.ebible.org/bible
PO Box 1151, Longmont CO 80502-1151, USA http://cryptography.org
Jesus Christ is Lord! Are you ready for Jesus to come back today?
