[596] in cryptography@c2.net mail archive
The unmentionable algorithm
daemon@ATHENA.MIT.EDU (jamesd@echeque.com)
Mon Apr 21 10:04:48 1997
From: jamesd@echeque.com
Date: Sat, 19 Apr 1997 19:59:12 +0800
To: Steven Bellovin <smb@research.att.com>
Cc: coderpunks@toad.com, cryptography@c2.net
At 06:38 PM 4/19/97 -0400, Steven Bellovin wrote:
> For example, in the
> absence of strong authentication, an enemy can make *predictable*
> changes to the ciphetext.
This means if he knows, or strongly suspects, the original
message, he can substitute a new message. But since people
generally do not use shared symmetric keys for authentication
this is not a problem. In fact they generally do not use
shared symmetric keys at all. (What one man knows, nobody
knows, what two men know, everyone knows.)
> Similarly, if used by itself there's no
> standard way to take advantage of an IV to disguise common prefixes.
Huh? Rephrase.
> Second, I think you overestimate the virtue of simplicity here. DES
> itself is simple, except for the S-box design
No it is not. Anybody can write down the RC4 algorithm from memory
and get it right. If you can do that with DES you are some kind of
mutant, even if you are allowed to choose random S boxes.
> Personally, I've long had qualms about the key setup process. It's
> never been obvious to me that it achieves a flat distribution across
> the input key space.
Probably because it does not achieve a flat distribution across
the input key space, but since the space in question is
256! = sqr(2*Pi) * (2^2052)/(e^256), which is 2^1684, this
is hardly a serious problem.
If the key setup were to make some cases several billion times likelier
than others, this would not weaken the algorithm.
---------------------------------------------------------------------
|
We have the right to defend ourselves | http://www.jim.com/jamesd/
and our property, because of the kind |
of animals that we are. True law | James A. Donald
derives from this right, not from the |
arbitrary power of the state. | jamesd@echeque.com
