On a Method of Session Key Generation (revised)

mok-kong shen (mok-kong.shen@stud.uni-muenchen.de)
Tue, 02 Feb 1999 13:29:15 +0100

• Next message: Perry E. Metzger: "Re: Selecting parameters for LCGs"
• Previous message: Ulrich Kuehn: "Re: quantum cryptanalysis"

Note: This is an extended revision of a previous post.

The following is a sketch of a proposed scheme for session key
generation with motivations and discussions given in subsequent
paragraphs of the paper:

   Hash all previously processed plaintexts. Encrypt the hash with
   a masterkey to obtain the current session key.

In principle any secure way of continuously producing, as desired,
session keys serves the purpose being discussed. However, involving
the previous plaintexts in the session key generation process results
in the advantage that, if the receiver can decrypt an incoming
message, then he directly knows with high certainty that no message
has been suppressed or manipulated. There is no protocol. The sender
simply obtains at any time point the session key and uses it
rightaway without cooperation of the receiver. The techniques
involved in the implementation can be simple. In particular, it does
not employ sophisticated techniques like Diffie-Hellman which is used
e.g. (as one of the options) in EKE, see Schneier's book. (I suppose
the essence of the state of the art is sufficiently covered by
Schneier's book. Detailed documents are currently not accessible for
me.)

It should be mentioned that our perphaps extreme strive for
simplicity is motivated by potential needs in (crypto-)technically
underdeveloped regions (countries outside of Wassenaar), where one
may have to be content with a 56-bit algorithm and similar
comparatively 'primitive' crypto stuffs. It is also much more likely
in such regions than elsewhere that the receiver is not reachable
online for substantial periods of time and consequently the messages
have to be deposited at his mailbox prior to his retrieval. In such
cases operating without a protocol can apparently be of value. (Note,
though, our proposal does not intend to compete in general with the
well-known techniques but is meant as a viable complement useful in
certain environments that need session keys as said above.)

There is one disadvantage with the scheme. If for any reason a
message gets lost, then the following messages cannot be read by the
receiver before retransmission of the lost message. We assume,
however, that this should rarely occur and that the delays and the
inconvenience caused by retransmission can be tolerated by the
communication partners. (In modern communication networks packet and
message losses should be taken care of by lower protocol layers and
be transparent at the application layer. Routing can cause messages
being out of order. This can be taken care of with a plain message
sequence number or, certainly with discomfort, by doing trial
decryptions.)

It is the author's humble opinion that the plaintexts should provide
enough entropy to the hash values employed. Should entropy be deemed
a concern, one could e.g. add to the hash values outputs from a PRNG.
(A statistically good PRNG should be sufficient for this purpose and
has certainly no problems with the Wassenaar regulation.)

As to implementation one can, for example, hash all previous messages
into a hash record of a certain chosen length and from that hash a
second time to the length required by the encryption algorithm that
employs the master key. Subsequently the hash record is updated with
a copy of the message just sent and is ready for future use. Thus
there is no necessity of archiving all the previous plaintexts.

Finally we have to discuss the security issue. The strongest threat
model appears to be the case where the analyst has all the previous
plaintexts (from the very beginning of message exchanges between the
partners till the present without a single exception). However, one
can use a symmetric block algorithm to do the hashing, so that the
hash values are unknown to the analyst if that algorithm is strong
enough. Even if we further weaken our assumption, namely down to the
point that these hash values are known to the analyst, we have
nonetheless the case that (considering the encryption of the hash
values using the master key) the 'plaintexts' (here the hash values)
are known but the 'ciphertexts' (here the session keys generated)
are unknown. (Assuming that these 'ciphertexts' (the session keys)
are known to the analyst would have amounted to assuming that the
proper encryption process using the session keys is itself broken,
which we apparently need not consider within the framework of the
present paper.) Since furthermore the volume of these 'plaintexts'
(the hash values) is small, we conclude that the task of inference
of the master key by the analyst is hard (if an adquate algorithm
is used for encrypting the hash values at all).

Comments, critiques and suggestions for improvements are sincerely
solicited.

M. K. Shen

------------------------------------------------------
M. K. Shen, Postfach 340238, D-80099 Muenchen, Germany (permanent)
http://www.stud.uni-muenchen.de/~mok-kong.shen/
(Origin site of WEAK2-EX, WEAK3-EX and WEAK4-EX, three Wassenaar-conform
 algorithms based on the new paradigm Security through Inefficiency.
 Containing 2 mathematical problems with rewards totalling US$500.)

• Next message: Perry E. Metzger: "Re: Selecting parameters for LCGs"
• Previous message: Ulrich Kuehn: "Re: quantum cryptanalysis"