[2361] in cryptography@c2.net mail archive
Re: Chaffing and winnowing - efficiency improvements
daemon@ATHENA.MIT.EDU (Bill Stewart)
Wed Mar 25 10:49:12 1998
Date: Tue, 24 Mar 1998 09:05:06 -0800
To: Colin Plumb <colin@nyx.net>, cryptography@c2.net
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <199803231813.LAA10397@nyx10.nyx.net>
At 11:13 AM 3/23/98 -0700, Colin Plumb wrote:
>I can make a couple of observations. One is that since the MAC
>attached to chaff packets is arbitrary, you might as well use the
>wheat's MAC. E.g. you'd send (0,0,4529), (0,1,4529), (1,0,2752),
>(1,1,2752), (2,0,9136), (2,1,9136), etc.
If you're just mixing your wheat and chaff data streams,
then this works fine, but if you're mixing yours together with
other people's data, this makes it easier to identify individual
wheat/chaff pairs in the combined stream, which would otherwise
be just a bunch of mush to someone who's eavesdropping the
middle of a conversation.
On the other hand, what _do_ you put in the chaff MACs?
The worst choice is to use a simple PRNG, which a bad guy
can detect, because that identifies all the chaff.
You need cryptographically good randomness of some sort.
An interesting approach is to MAC the chaff bits using
a different session key. (This doubles the work for the
sender, but the chaff already doubles the work for the receiver.)
If you want to, you can use this as independent verification
for the receiver (at a cost of doubling the work),
or as a way to send a copy of the message to a second receiver
for no extra transmission cost. Of course, "copy of the message
to a second receiver" sounds a lot like, well, escrow :-)
Thanks!
Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
