[595] in cryptography@c2.net mail archive
Re: The unmentionable algorithm
daemon@ATHENA.MIT.EDU (EKR)
Mon Apr 21 10:04:18 1997
To: jamesd@echeque.com
cc: Adam Back <aba@dcs.ex.ac.uk>, smb@research.att.com, coderpunks@toad.com,
cryptography@c2.net
In-reply-to: Your message of "Sun, 20 Apr 1997 08:04:06 +0800."
<199704201504.IAA20402@proxy2.ba.best.com>
Date: Sun, 20 Apr 1997 11:32:31 -0700
From: EKR <ekr@terisa.com>
> At 08:59 AM 4/20/97 +0100, Adam Back wrote:
> > I think what Steven is saying is that if you know a section of
> > plaintext you can replace it with another chosen piece of plaintext
>
> Thank you. On reflection that is apparently what he meant to say,
> though he had two stabs at it without getting very close.
>
> Of course the remedy to this problem is to always send a checksum,
> (not necessarily a cryptographically strong hash) whereas other,
> more complex codes act as their own checksum.
I wouldn't pretend to speak for Steve what Steve meant,
but just sending a checksum certainly isn't sufficient. In fact,
neither is sending a cryptographically strong hash. You need to
send a keyed hash.
Consider the case where the ciphertext is:
RC4 (MSG || CHECKSUM(MSG)) where || is concatenation.
Assume, further that the attacker knows not some of MSG
but all of it. From that, he can compute CHECKSUM(MSG)
which permits him to compute the section of keystream
that was used to encrypt CHECKSUM(MSG). Now he can replace
the entire message with one of his choosing and replace
the checksum while he's at it.
Even if the attacker doesn't know the entire message, he
can probably make headway if the checksum is something
predictable like CRC.
-Ekr
[Eric Rescorla Terisa Systems, Inc.]
