[1118] in Kerberos_V5_Development
Re: OV admin system integration plan
daemon@ATHENA.MIT.EDU (Richard Basch)
Mon May 6 11:50:35 1996
Date: Mon, 6 May 1996 11:49:22 -0400
To: "Donald T. Davis" <don@cam.ov.com>
Cc: Marc Horowitz <marc@MIT.EDU>, krbdev@MIT.EDU
In-Reply-To: <199605060207.WAA05155@gza-client1.cam.ov.com>
From: "Richard Basch" <basch@lehman.com>
On Sun, 5-May-1996, "Donald T. Davis" wrote to "Marc Horowitz, don@cam.ov.com, krbdev@MIT.EDU" saying:
>
> marc wrote:
> > Someone should pick up a copy of Schneier, read the section on
> > PRNG's, and pick a good one for our purposes.
>
> the soundest prng is blum, blum, and shub, but it's also
> one of the slowest. afaik, the only prng's that have
> been proven to be random and to be unpredictable (modulo
> complexity assumptions), are all much slower than des.
>
> i don't see anything wrong with using des as the prng.
> if you're worried about des' security, it still isn't
> necessary to use 3des for key-generation. probably the
> best bet, if you want to be snazzy, would be single-key
> cfb mode.
>
> there was a paper by preneel at crypto '93, showing
> that des' cfb mode is much more secure than the other
> modes, against differential cryptanalysis and against
> linear cryptanalysis. btw, preneel also mentioned that
> cfb mode causes the initial permutation to contribute
> to des' diffusion properties. as i remember, it's best
> to feed at least 8 bits in.
> -don davis, boston
While DES cfb mode may be more secure against differential cryptanalysis
attacks, the attack we speculated with my original implementation was a
codebook generation attack. By knowing that the sequence started from 0
or 1 (LSB mode), the encryption of the first block was basically the IV
for the second block. For each session key the KDC was generating with
this mode, I was giving out two codebook entries.
clear cipher
skey (block 1) --> skey (block 2)
skey (block 2) --> skey (block 3)
(Blocks 2 & 3 were zero, so you are essentially only doing an ECB
encryption of the previous block).
Eventually, you would build up the entire codebook for the random
generator key. The problem with cfb mode and a session key generator is
that you have to avoid giving out keying/codebook material, and when the
sequence numbers had blocks of zeros, this is hard to do.
--
Richard Basch
Sr. Developer/Analyst URL: http://web.mit.edu/basch/www/home.html
Lehman Brothers, Inc. Email: basch@lehman.com, basch@mit.edu
101 Hudson St., 33rd Floor Fax: +1-201-524-5828
Jersey City, NJ 07302-3988 Voice: +1-201-524-5049
