[2837] in Kerberos
Re: Kerberos non-repudiation idea
daemon@ATHENA.MIT.EDU (Jim Miller)
Tue Oct 5 21:30:32 1993
From: jim@bilbo.suite.com (Jim Miller)
Date: Tue, 5 Oct 93 19:56:17 -0500
To: don@gza.com
Cc: kerberos@MIT.EDU
Reply-To: Jim_Miller@suite.com
> you're right that the XOR step provides a cheap extra
> layer of cryptographic security, but that's only true if
> the mask (your "nonce") is discarded after the first use.
> if you re-use the mask, its value vanishes, because the
> attacker can attack {msg1 ^ N}K and {msg2 ^ N}K by trying a
> value for K on both messages, and XOR'ing the putative
> plaintexts together. if he chooses the right K, he'll get
> msg1 ^ N ^ msg2 ^ N == msg1 ^ msg2. this last is a known
> quantity, since both msg1 & msg2 are message-checksums,
> and as such are known to the attacker. thus, the attacker
> will still be able to tell when an exhaustive attack
> succeeds, unless every certificate is a single-use one.
>
<sound of hand slamming against forehead>
I'm convinced.
> thanks, btw, for the bellcore reference; can you send me
> the title & the authors' names, so i can ask them for a
> reprint?
>
Stuart Haber (stuart@bellcore.com) and Dr. W. Scott Stornetta
(stornetta@bellcore.com) were the people who gave the Digital Time-Stamp
presentation. I don't know of any papers you could ftp, but I know of two
articles that discuss the Bellcore Time-Stamp service. They are:
The New York Times, Sunday, January 12, 1992 (section F, page 9)
Discover magazine, October 1992 (page 44)
BTW, thanks for your responses.
Jim_Miller@suite.com
