[12497] in cryptography@c2.net mail archive
Re: Columbia crypto box
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Mon Feb 10 15:54:11 2003
X-Original-To: cryptography@wasabisystems.com
X-Original-To: cryptography@wasabisystems.com
From: "Steven M. Bellovin" <smb@research.att.com>
To: bear <bear@sonic.net>
Cc: Matthew Byng-Maddick <cryptography@lists.colondot.net>,
Donald Eastlake 3rd <dee3@torque.pothole.com>,
cryptography@wasabisystems.com
Date: Mon, 10 Feb 2003 15:51:50 -0500
In message <Pine.LNX.4.40.0302101144420.13432-100000@bolt.sonic.net>, bear writ
es:
>
>>It's one of those things, like re-using a pad.
>
>Actually, it is re-using a pad, exactly. It's just a pseudorandom
>pad (stream cipher) instead of a one-time pad.
>
>And while WEP had problems, it didn't have that particular problem.
>New messages with the "same" key would use a later chunk of the
>cipherstream pad under WEP.
That's not correct. Each packet is encrypted with a key consisting of
<basekey,IV>, where "IV" is a 24-bit counter. It does not use a later
part of the stream; each packet starts from the beginning.
Note that with a 24-bit key, plus the difficulty of changing the key,
there *will* be reuse. It's compounded because (a) everyone has the
same key, so there's lots of traffic; (b) both directions use the same
key; and (c) some units, when power-cycled, always start the IV at 0,
making collisions in that space more likely.
Read the Borisov et al. paper for more details on all of these points
and more.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
