Other Directory Sites: SeekWonder | Directory Owners Forum
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:06
Jim Gillogly (jim@acm.org)
Thu, 28 Jan 1999 11:32:54 -0800
M-K Shen wrote:
> Yes. If the analyst has all the previous plaintexts, then there
> is a problem. However, the masterkey is only applied to the
> hash values which are short. Hence the inference of the masterkey
> should not be easy (he must somehow obtained a large number of
> session keys for doing that).
Whether inferring the master key is easy or hard, the point is that
the security of the system under this assumption (known plaintext)
is dependent solely on the master key, and there is no more security
applying it to hashes than applying it to a well-known value such
as a counter representing the number of the message or a nonce given
at the beginning of the message itself. Given that the security is
reduced to that of the master key and cipher, why go to the trouble
of hashing previous plaintexts? You're trusting the strength of the
cipher used for master key -> session key conversion anyway, so you
may as well trust it for the known plaintext case as well, and skip
the extra computations and complications, which do not buy you any
extra protection in the known plaintext case.
-- Jim Gillogly 7 Solmath S.R. 1999, 19:25 12.19.5.16.2, 9 Ik 15 Muan, Seventh Lord of Night
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:06