[506] in Kerberos
Re: encryption question
daemon@TELECOM.MIT.EDU (Ted Anderson)
Wed Sep 14 10:14:26 1988
From: Ted Anderson <ota+@andrew.cmu.edu>
To: kerberos@ATHENA.MIT.EDU, MILLER%erlang.DEC@DECWRL.DEC.COM
Cc: Mike Kazar <kazar+@ANDREW.CMU.EDU>
In-Reply-To: <8809132001.AA16517@decwrl.dec.com>
Let me try to be a little more clear.
There is a relatively obscure comment in the paper by Birrell called "Secure
Communication Using Remote Procedure Calls" where he mentions that the method
he suggests for detecting modifications to cipher text is inadaquate. He was
using standard CBC encryption with a message checksum at the end. He refers to
the Voydock and Kent article "Security Mechanisms in High-Level Network
Protocols" which I looked at. By implication the checksum he was using was a
simple XOR which was (probably then encrypted with CBC as) the last block of
the message. The weakness is that if an attacker swaps to adjacent cipher
blocks the checksum will not help detect the modification.
It was not entirely clear to me at first what method he was using so I figured
it would be a good idea to try it out with the Kerberos PCBC routine. As I
understand it Kerberos encrypts messages with PCBC which does a much better job
of ciphertext error propagation and so doesn't use a checksum at all. I wrote
a little program which just swapped the two first two bolcks of ciphertext
obtained from pcbc_encrypt of a simple message and then decrypted it. The
result was that the two exchanged blocks were garbled but no subsequent blocks
were affected.
Here is the program I used which also inverts a single bit in the ciphertext to
see what happens:
long msg[8]; /* this is a four block (64 bits each) message
*/
long out[8];
string_to_key ("abcdefgh", key);
code = key_sched (key, schedule);
for (i=0; i<8; i++) msg[i]=i;
print_msg ("Input message", msg, sizeof(msg));
pcbc_encrypt (msg, out, sizeof(msg), schedule, default_ivec, ENCRYPT);
print_msg ("Using Kerberos PCBC", out, sizeof(msg));
pcbc_encrypt (out, msg, sizeof(msg), schedule, default_ivec, DECRYPT);
print_msg ("Decrypted", msg, sizeof(msg));
/* invert the 32nd bit of the first ciphertext block */
out[0] ^= 1;
pcbc_encrypt (out, msg, sizeof(msg), schedule, default_ivec, DECRYPT);
print_msg ("Invert 32nd bit", msg, sizeof(msg));
out[0] ^= 1; /* set the bit back */
/* swap first two ciphertext blocks */
{ unsigned long temp;
temp = out[0];
out[0] = out[2];
out[2] = temp;
temp = out[1];
out[1] = out[3];
out[3] = temp;
}
pcbc_encrypt (out, msg, sizeof(msg), schedule, default_ivec, DECRYPT);
print_msg ("Exchanging first two ciphertext blocks", msg, sizeof(msg));
and here is the output:
Input message
00000000 00000001 00000002 00000003 00000004 00000005 00000006 00000007
Using Kerberos PCBC
fd09ff5a 90f9e7d0 bc58ef9f 400c9454 811a8b28 4138af1d a47698d4 c68a246d
Decrypted
00000000 00000001 00000002 00000003 00000004 00000005 00000006 00000007
Invert 32nd bit
6d4851de 177f7242 6d4851dd 177f7240 6d4851db 177f7246 6d4851d9 177f7244
Exchanging first two ciphertext blocks
fd09ff58 90f9e7d2 415110c7 d0f57387 00000004 00000005 00000006 00000007
Ted Anderson
