[621] in cryptography@c2.net mail archive
Re: The unmentionable algorithm
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Mon Apr 21 19:32:27 1997
To: jamesd@echeque.com
cc: Steven Bellovin <smb@research.att.com>, coderpunks@toad.com,
cryptography@c2.net
In-reply-to: Your message of "Mon, 21 Apr 1997 14:17:12 PDT."
<v02140b1faf8189c3a591@[206.14.182.14]>
Reply-To: perry@piermont.com
Date: Mon, 21 Apr 1997 19:15:22 -0400
From: "Perry E. Metzger" <perry@piermont.com>
by way of jon@phc.net (Jon Hunter) writes:
> At 06:38 PM 4/19/97 -0400, Steven Bellovin wrote:
> > For example, in the
> > absence of strong authentication, an enemy can make *predictable*
> > changes to the ciphetext.
>
> This means if he knows, or strongly suspects, the original
> message, he can substitute a new message. But since people
> generally do not use shared symmetric keys for authentication
> this is not a problem.
Many systems used shared keys for authentication. See, for example,
IPSec, which used symmetric keys for authentication.
> In fact they generally do not use shared symmetric keys at all.
People don't use shared symmetric keys on a permanent basis. They
frequently use them in the context of individual sessions.
> > Second, I think you overestimate the virtue of simplicity here. DES
> > itself is simple, except for the S-box design
>
> No it is not. Anybody can write down the RC4 algorithm from memory
> and get it right. If you can do that with DES you are some kind of
> mutant, even if you are allowed to choose random S boxes.
If I could choose new S and P boxes, it wouldn't be especially hard
to produce a nearly identical algorithm from memory. Of course, the
security depends on the choice of the S boxes.
> > Personally, I've long had qualms about the key setup process. It's
> > never been obvious to me that it achieves a flat distribution across
> > the input key space.
>
> Probably because it does not achieve a flat distribution across
> the input key space, but since the space in question is
> 256! = sqr(2*Pi) * (2^2052)/(e^256), which is 2^1684, this
> is hardly a serious problem.
Do not confuse size of a space for security. The number of keys
available to a monoalphabetic substitution over the eight bit bytes is
also 256!, and yet that is a totally insecure system.
> If the key setup were to make some cases several billion times likelier
> than others, this would not weaken the algorithm.
You obviously haven't been following linear and differential
cryptanalysis of late, which play games with very slight probability
differences in block ciphers. If you can really show that some cases
are substantially more likely than others you can do ugly things to
crack the cipher.
Perry
