[528] in Kerberos
Re: Ticket Authentication
daemon@TELECOM.MIT.EDU (Steve Miller)
Mon Nov 7 11:04:54 1988
From: miller%erlang.DEC@DECWRL.DEC.COM (Steve Miller)
To: kerberos@ATHENA.MIT.EDU, MILLER%erlang.DEC@DECWRL.DEC.COM
As Ted pointed out, the new "pcbc" mode I suggested in a Nov 2 memo is no good -
the cleartext could be recovered by an exhaustive search of XORs. I retract
the suggestion-- the cure was worse than the disease. Our crypto guy also
realized this, but unfortunately not until after I had sent the note out.
So much for ad-hoc design.
It still may be possible to construct a modified pcbc mode with the desired
properties by using other operations on the plaintext. For example, instead
of XORing the plaintext, as in the original Kerberos pcbc, add a running sum
of all the plaintext blocks. (I don't know if this particular one works.)
Some such solutions will be data sensitive. I don't have time to play with
these.
So my revised recommendation is that for the next version of Kerberos other
possible pcbc modes are investigated. If a satisfactory one is found that
always propagates errors (doesn't resync), even if two ciphertext blocks are
switched, is not particularly data sensitive, and doesn't put a simple function
of the plaintext on the wire, use it. Otherwise, use vanilla cbc mode and
add a checksum to the end of the ticket, as Ted suggested. The checksum
should be inexpensive to compute compared to DES itself. I have been very
reluctant to add a checksum because even if the checksum calculation is free,
it adds to the length of the ticket, and therefore the DES encryption costs.
Steve.
