[505] in cryptography@c2.net mail archive
Re: How bad is this?
daemon@ATHENA.MIT.EDU (Bill Stewart)
Sat Apr 5 13:02:06 1997
Date: Sat, 05 Apr 1997 01:46:09 -0800
To: colin@nyx.net (Colin Plumb)
From: Bill Stewart <stewarts@ix.netcom.com>
Cc: cryptography@c2.net
In-Reply-To: <9704042225.AA25249@nyx.net>
At 03:25 PM 4/4/97 MST, Colin Plumb wrote:
>> The hash that's needed is
>> F(localhost, localport, remotehost, remoteport)
>> where F() isn't predictable from outside. Would it be safe to use
>> F() = Hash32(RC4(key, "localhost, localport, remotehost, remoteport"))
>> where Hash32 is some vanilla N-bits-to-32-bites hash such as a CRC32
>> or simple xor-by-words or even just last-32-bits? ("key" is some
passphrase,
>> perhaps plus a boot-time nonce.) RC4 is pretty fast, and you can do the
>> key setup once and save the state. You could even move "localhost" into
>> the key.
>> Or is using a stream-cypher as a hash just too unsafe?
>
>Well, consider a CRC32 (and xor-tby-words is a degenerate case of that,
>with apolynomial of x^32+1). This is linear, and a morphism
>W.R.T. xor, i.e. CRC32(x ^ y) = CRC32(x) ^ CRC32(y). Now,
>RC$(key, data) is basically RC4(key) ^ data, since RC4 just generates
>a key stream.
I knew I shouldn't have written that without the RC4 and RC5 definitions
in front of me; I was forgetting that the data doesn't feed back into
the S-array in RC4. You could do RC5 in some block-chaining mode,
and at least the only bit-bashing you need to do are the circular shifts,
but it may not be enough of a speed win to be worth it. You could probably
get away with 12 rounds, which needs 2**53 chosen plaintexts for
linear cryptanalysis, since that's a _lot_ of connection attempts to go
by unnoticed, and since you don't really get to choose the plaintext
if you're using the last block's output as the hash and munging the
parts together.
# Thanks; Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
# (If this is a mailing list, please Cc: me on replies. Thanks.)
