Re: Java applet security, exportability, Jon Postel haiku

Bill Stewart (bill.stewart@pobox.com)
Tue, 27 Oct 1998 13:20:21 -0800

• Next message: Bill Frantz: "Re: Java applet security, exportability, Jon Postel haiku"
• Previous message: Enzo Michelangeli: "Re: anonymous Java thin client"
• Maybe in reply to: Dave Del Torto: "anonymous Java thin client"
• Next in thread: EKR: "Re: Java applet security, exportability, Jon Postel haiku"
• Reply: EKR: "Re: Java applet security, exportability, Jon Postel haiku"
• Reply: bram: "Re: Java applet security, exportability, Jon Postel haiku"

At 09:57 AM 10/26/98 -0500, David R. Conrad wrote:
>The client uses its SecureRandom to generate y, and then it computes
>Y = g^y mod n. Next problem: how many bits do I need here to be secure?
>If y is only 160 bits, will this be weak?

The rule of thumb seems to be that you need to use twice as many bits
as you want to protect, so use at least 320.

>The client can now compute k = X^y mod n. How should I generate my
>symmetric session key from this? I'm thinking of simply K = SHA1(k) where
>K is the session key, but is that sufficient? (Of course, I may desire
>128, 112, or 168 bits of session key, rather than 160, but I can deal with
>that.)

You may need different session keys in the two directions, depending
on your symmetric algorithm, so this isn't good enough.
You could do something like separate SHA1s on the two halves of k,
or SHA1("FROM"|k), SHA1("TO"|k) or things like that.
On the other hand, if you've also negotiated a password with the customer,
hash that in as well, e.g. SHA1("FROM"|password|k|password);
it'll help substantially with your MITM concerns.

>Next, the client sends a message to the server, of the form Y|E_K(M) where
>E_K(M) indicates encryption of message M with key K, and | is
>concatenation. Okay, next question, what should I use as my symmetric
>algorithm? I'm currently toying with IDEA, 3DES and Arc4, but suggestions
>and comments are more than welcome.

Other people have commented that IDEA has patent problems.
3DES is slow, but everybody trusts it, so if you've got small enough data
it's probably ok. There's the minor annoyance that 168-bit keys are
longer than 160-bit SHA1 hashes, so you'll need to scrounge some bits :-)
CAST and BLOWFISH are starting to be popular. For any of these,
be sure to use CBC or some other chaining mode, with a random IV,
rather than simple codebook modes.

RC4 is widely accepted, but you need to be careful with it,
since you can never reuse keys (including not using the same key for
both directions in a conversation.)

Are you worried about crackers impersonating customers,
or only about impersonating the host system?

                                Thanks!
                                        Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639

• Next message: Bill Frantz: "Re: Java applet security, exportability, Jon Postel haiku"
• Previous message: Enzo Michelangeli: "Re: anonymous Java thin client"
• Maybe in reply to: Dave Del Torto: "anonymous Java thin client"
• Next in thread: EKR: "Re: Java applet security, exportability, Jon Postel haiku"
• Reply: EKR: "Re: Java applet security, exportability, Jon Postel haiku"
• Reply: bram: "Re: Java applet security, exportability, Jon Postel haiku"