[539] in Kerberos
Re: A collection of suggested changes to Kerberos.
daemon@TELECOM.MIT.EDU (Jon Rochlis)
Sat Dec 3 01:05:33 1988
From: Jon Rochlis <jon@ATHENA.MIT.EDU>
To: kfall@okeeffe.berkeley.edu
Cc: Bill Sommerfeld <wesommer@ATHENA.MIT.EDU>, kerberos@ATHENA.MIT.EDU
In-Reply-To: Kevin Fall's message of Mon, 28 Nov 88 01:59:54 PST,
>
> 1.2) Use of checksum instead of depending on pcbc encryption.
>
> It was determined (experimentally) that PCBC encryption does not
> protect against swapped cyphertext blocks. It was suggested that a
> checksum (probably something like a 32 bit CRC) be added to the
> ticket to make it "safe" against tampering.
>
> Todd Smith suggested checksumming the cyphertext and then encrypting
> the checksum.
>
Essentially this is like doing a simple encrypted checksum of some
cleartext to prevent non-tampering. It is important to note
that (given a publicly-available checksumming algorithm), it
may be possible to produce an identical checksum from a different
cleartext block (say by incrementing some dont-care byte).
To discourage this, part of the original cleartext block
should be included in the encrypted portion, not just
the checksum itself.
Voydock and Kent state than if you use an N-bit cyclic code (in
addition to cbc mode encryption) the probablity of an arbitrary brust
error or reordering attack succeeding is 1/(2**n) ... that would
seem good enough for n=32 ... a logitudinal parity check whose size is
a multiple of the cbc block won't detect switched ciphertext blocks ...
-- Jon
