[605] in cryptography@c2.net mail archive
Re: The unmentionable algorithm
daemon@ATHENA.MIT.EDU (EKR)
Mon Apr 21 13:30:02 1997
To: jamesd@echeque.com
cc: Adam Back <aba@dcs.ex.ac.uk>, smb@research.att.com, coderpunks@toad.com,
cryptography@c2.net
In-reply-to: Your message of "Sun, 20 Apr 1997 01:46:00 +0800."
<199704202046.NAA12661@proxy3.ba.best.com>
Date: Sun, 20 Apr 1997 17:58:02 -0700
From: EKR <ekr@terisa.com>
> At 11:32 AM 4/20/97 -0700, EKR wrote:
> > but just sending a checksum certainly isn't sufficient. In fact,
> > neither is sending a cryptographically strong hash. You need to
> > send a keyed hash.
> >
> > Consider the case where the ciphertext is:
> > RC4 (MSG || CHECKSUM(MSG)) where || is concatenation.
> > Assume, further that the attacker knows not some of MSG
> > but all of it.
>
> Assume instead that the checksum includes the session key,
> and indeed all shared information concerning the session,
> so that the attacker cannot know all of it.
Then it depends what the checksum is:
Consider the following construction:
CHECKSUM(K,MSG)=MD5(K||MSG)
Assume this time that the checksum is in the clear,
and that the attacker knows the plaintext of a given
packet. He can then potentially mount an extension attack
on the previous packet.
Other attacks are probably possible if the checksum is
something weaker, like CRC.
> In any case none of these problems are cryptographic
> weaknesses of RC4, and thus they do not bear on my
> original assertion that a simple algorithm is preferable
> to a complex algorithm because it is less likely to
> contain hidden flaws.
It's true that these aren't cryptographic weaknesses in
RC4. They're gotchas with using any stream cipher that
doesn't have feedback from the plaintext. But they're gotchas
that don't exist with block ciphers. Remember, a lot of
protocols are broken not because the underlying components
are weak but because they are misapplied. Consequently,
ease of correct use is a virtue to be weighed along with
cryptographic security.
-Ekr
