Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:15:20
Giff (giff@eng.us.uu.net)
Wed, 7 Oct 1998 11:26:45 -0400 (EDT)
On Tue, 6 Oct 1998, Lenny Foner wrote:
> An application I'm writing saves its state to disk every so often,
> using IDEA in CBC mode. (It's using SSLeay's implementation of IDEA,
> and makes sure to start with a random IV, etc.) Each time it does so,
> it picks a new 128-bit session key for the encryption; this session
> key is also stored on disk, and is hashed by a passphrase.
One drawback I see is that if you generate a new session key, then all
things which were encrypted with the original session key can't be
decrypted. Your description doesn't indicate when you would change the
session key, or how often, nor what happens to the files.
Another is that if someone has access to reading the Kx (which is Ks XOR
MD5(P)) at two different times. If any past Ks, Kx pair was found, then
MD5(P) would be known and future Ks values can be determined, even though
P is never recovered.
Your question seems to be more about detecting whether or not a decryption
will be correct. One possibility which comes to mind is to append two
blocks to the beginning of the file. Let's assume 64 bit blocks. The
first is composed of randomly generated data [as random as you like]. The
second block is a pattern of WXYZWXYZ, where WXYZ is a random four byte
value. Encrypt everything in CBC mode.
This makes a known plaintext attack very difficult and is easy for your
program to decrypt and test the second block for correctness. The
probability that the wrong key will decrypt into the above pattern is
quite small. The added 128 bits of overhead are small.
-Giff
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:15:20