[525] in cryptography@c2.net mail archive
Re: chosen protocol attack
daemon@ATHENA.MIT.EDU (Angelos D. Keromytis)
Sun Apr 13 21:28:04 1997
To: kelsey@email.plnet.net
cc: "Perry's Crypto List" <cryptography@c2.net>
In-reply-to: Your message of "Sun, 13 Apr 1997 02:15:45 CDT."
<MAPI.Id.0016.00656c73657920203837463830303031@MAPI.to.RFC822>
Date: Sun, 13 Apr 1997 18:48:20 +0000
From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>
-----BEGIN PGP SIGNED MESSAGE-----
In message <MAPI.Id.0016.00656c73657920203837463830303031@MAPI.to.RFC822>, John
Kelsey writes:
>
>At this year's protocols workshop, I presented a paper involving
>a very fun attack. (This paper was joint work with Bruce
>Schneier and David Wagner, but I gave the talk.)
>
>Anytime you have two or more cryptographic protocols that share
>some key material, it becomes possible for one protocol to
>*interfere* with the other. That is, some message in protocol Q
>may make it possible to break some security requirement of
>protocol P. Although I had a hard time finding one, there have
>apparently been several of these. (The workshop participants
>gave me a lot of useful examples and citations for the final
>paper, which we have to submit Real Soon Now.)
[snip]
This sounds a lot like the interleaving attack (if my memory serves me
well); in that one, the attacker uses messages from different protocol
runs (of the same protocol) to subvert it. I believe Li Gong's and
Paul Syverson's "Fail Stop Protocols" paper addresses this. There's
also a followup by yours truly, which however will be submitted to
some conference RSN.
Cheers,
- -Angelos
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQCVAwUBM1Fwwr0pBjh2h1kFAQH9QwQAgEB8gLyfReB5IhcrAt3OICLbYp2jpwYb
OtcuviWLM+T1efbBhpjR/FX9R6aFSsIEag6vY5S3KDgrbWuVcbbRDB7jjBFziCJr
309DEqN1j2F4+26bYm3wIIglqpXblKTLdauC+j3jQhEhE/u+yB2dDR6LD0xCRNam
pnGB/WD4Jic=
=n0c0
-----END PGP SIGNATURE-----
