[1094] in Kerberos_V5_Development
Re: Common random routines: for review
daemon@ATHENA.MIT.EDU (Bill Sommerfeld)
Fri May 3 00:03:28 1996
To: "Richard Basch" <basch@lehman.com>
Cc: krbdev@MIT.EDU
In-Reply-To: Your message of "Thu, 2 May 1996 19:19:18 -0400 ."
<199605022319.TAA14845@badger.lehman.com>
Date: Thu, 02 May 1996 23:52:43 -0400
From: Bill Sommerfeld <sommerfeld@orchard.medford.ma.us>
This generator has some obvious "structure" in its output which makes
me nervous; I don't see a practical way to exploit it, but it's there
all the same...
in 3des mode, the output is essentially
des3cbc(sequence, ivec, 3deskey)
where sequence is 3 64-bit blocks long, initialized to zero, and
incremented after each generation.
let's decompose the 3*64-bit output value
Oi into it's three subblocks {Oi0, Oi1, Oi3}
given that you *know* the generator hasn't kicked out 2**64 outputs,
you know that the later bits of "sequence" are all zero.
Because the 2nd and 3rd ciphertext blocks are zero, the CBC chaining
thus collapses to:
Oi0 = des3ecb(i, key)
Oi2 = des3ecb(Oi0, key)
Oi3 = des3ecb(Oi1, key)
and you wind up "publishing" two (or possibly three, if the attacker's
been keeping track of how many keys the KDC has generated) known
plaintext-ciphertext pairs of the underlying 3des key generation key
for each output.
This makes me really nervous..
- Bill
