From: "Devon H. O'Dell " <dodell@offmyserver.com>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] crypto question
Date: Wed, 13 Apr 2005 21:23:28 +0200 [thread overview]
Message-ID: <20050413192328.GA13046@smp500.sitetronics.com> (raw)
In-Reply-To: <Pine.BSI.4.61.0504121245410.5044@malasada.lava.net>
[-- Attachment #1: Type: text/plain, Size: 1996 bytes --]
On Tue, Apr 12, 2005 at 12:54:20PM -1000, Tim Newsham wrote:
> Hi,
> I noticed that the libc function encrypt() uses some non-standard form
> of cipher chaining. In the normal case one byte from the previous block
> is reencrypted with 7 bytes from the new block. Additionally there is no
> initialization vector used.
>
> This chaining is not very strong (only slightly better than using ECB
> mode). In particular:
>
> - common prefixes will encrypt the same way.
> - large common sequences within the middle or end of the
> data have a reasonable chance of encrypting the same
> way (2^-8 chance of rejoining at each encryption boundary).
Indeed, this provides means for so-called `birthday attacks' in
which repeating characters can be guessed which may help an
attacker gain further knowledge of the plaintext or key by
effectively reducing the effort necessary to brute force (at
least part of) the plaintext.
> These weaknesses could open the way for attacks on the code where
> encrypt() is used. I was looking over the p9sk1 authentication and didn't
> notice any obvious attacks, but I'm not particularly good at cryptography
> (the fact that the challenge has to be matched in tickets encrypted by two
> different keys offers some protection against splicing).
Doesn't p9sk1 still use DES? DES was nice, but has several
recognized ways to speed up cryptanalysis of the algorithm. 3DES
is an alternative, but with combinations such as Rijndael-256 in
CBC mode (or indeed, using a strong stream cipher -- Helix looks
neat, but it's still too new, I think), I really don't see why
we should stick with these things.
Of course, we can discuss this all we want, but without code it
remains a bikeshed :)
> Is there any reason this scheme was chosen over more traditional chaining
> modes?
>
> Tim Newsham
> http://www.lava.net/~newsham/
Perhaps just due to simplicity of implementation? I dunno :).
--Devon
[-- Attachment #2: Type: application/pgp-signature, Size: 194 bytes --]
next prev parent reply other threads:[~2005-04-13 19:23 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-12 22:54 Tim Newsham
2005-04-12 23:10 ` boyd, rounin
2005-04-13 0:18 ` Martin Harriss
2005-04-13 3:36 ` Tim Newsham
2005-04-13 3:44 ` boyd, rounin
2005-04-13 15:52 ` Bruce Ellis
2005-04-13 18:45 ` Tim Newsham
2005-04-13 19:23 ` Devon H. O'Dell [this message]
2005-04-13 22:01 ` Karl Magdsick
2005-04-13 22:05 ` Devon H. O'Dell
2005-04-13 22:16 ` Bruce Ellis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050413192328.GA13046@smp500.sitetronics.com \
--to=dodell@offmyserver.com \
--cc=9fans@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).