[499] in cryptography@c2.net mail archive
Re: How bad is this?
daemon@ATHENA.MIT.EDU (Steve)
Fri Apr 4 17:24:16 1997
To: Bill Stewart <stewarts@ix.netcom.com>
cc: perry@piermont.com, cryptography@c2.net
In-reply-to: Your message of "Thu, 03 Apr 1997 22:25:20 PST."
<3.0.1.32.19970403222520.00675e30@popd.ix.netcom.com>
Date: Fri, 04 Apr 1997 13:51:37 -0800
From: Steve <steve@edmweb.com>
> The hash that's needed is
> F(localhost, localport, remotehost, remoteport)
> where F() isn't predictable from outside. Would it be safe to use
> F() = Hash32(RC4(key, "localhost, localport, remotehost, remoteport"))
> where Hash32 is some vanilla N-bits-to-32-bites hash such as a CRC32
> or simple xor-by-words or even just last-32-bits?
I read your F() as being a bit ambiguous, but I don't think there's any
way it would have the same properties of the F() from RFC 1948.
If you're talking about encrypting "localhost, localport, remotehost,
remoteport" with RC4 and then using a Hash32 on it, I think the result
would have whatever problems are associated with truely random ISNs
because you aren't going to get the same result twice except by pure
luck.
If you're talking about XORing the "localhost, localport, remotehost,
remoteport" data with the same 12 pseudo-random bytes every time, then
it's way too linear.
If you're talking about seeding RC4 using "key, localhost, localport,
remotehost, remoteport" and running a few bytes of output through
Hash32, then it _might_ work even without the Hash32, but you would
have to re-seed RC4 for every connection which is probably way too
slow.
What could work is encrypting "localhost, localport, remotehost,
remoteport" with a _block_cipher_ then Hash32'ing the ciphertext (or
truncating it, if it's only one block) but I can't comment on the
security of such a construction.
Probably what is needed is a fast, semi-secure MAC with a key large
enough that deficiencies in the algorithm don't matter. I haven't
looked at Colin Plumb's code yet...
