From: "David F. Ogren" <ogren@cris.com>
Date: Sat, 1 Jun 1996 19:27:17 +0800
To: cypherpunks@toad.com
Subject: Re: Where does your data want to go today?
Message-ID: <199606010706.DAA29049@darius.cris.com>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

Me:
> >Using a random IV also limits the effectiveness of using known
> >headers for "known plaintext" attacks.  Also note that a good block
> > cipher isn't that vulnerable even to "known plaintext" attacks.

Bill Frantz: 
> I don't think this is true given a brute force attack.  Let me
> assume DES-CBC as a specific system.  Let us assume that the
> plaintext is:
> 
<snip>

> The brute force system decrypts the first, and second blocks (8
> bytes each) of the cyphertext, XORs them, and compares the result
> with "PKZIP2.1".  If the comparison is equal it has the key.
> 
> If we eliminated the header and just started with the compressed
> data, then the brute force system would have to decrypt and
> decompress enough of the data to run statistical tests.  The cost of
> the additional decryptions, decompression, and statistical tests
> substantially raise the cost of the brute force attack.

I will concede that having a known header, such as a PKZIP header,
does weaken a crypto to certain degree, but I still believe that it is
not a significant problem.  Here's why:

1. If the best attack against the crypto system is to brute force
attack (having to decrypt two blocks per key) I don't consider that a
weakness. Assuming you are using IDEA or another 128 bit key algorithm
and if everyone in the world owned two computers, each powerful enough
to make a million attacks a second, and they all decided to cooperate
in cracking your key it would still take (on average) until the next
ice age to complete this attack.  Admittedly DES wouldn't hold up
nearly as well, but if you are using straight DES you have bigger
concerns than the occaisional known plaintext attack.

2. Known plaintext is something that you have to assume that your
enemy has at least occaisional access to.  Lots of messages have known
beginnings and endings.  Sure it would be nice to reduce the amount of
known plaintext, but I think there are much more significant concerns.

3. The disadvantages of not having the headers.  The headers are
there for a reason: to communicate that the following file is in a
specific format.  Without the headers, you have to use another secure
channel to communicate what file type is being transmitted.

Again, I concede that a crypto system would be more secure if no
known plaintext was ever transmitted, such as compressed file
headers.  But this minor loss of security is nearly inescapable and
also relatively insignificant.

David F. Ogren
ogren@concentric.net
PGP Key ID: 0xC626E311
PGP Key Fingerprint: 24 23 CD 15 BF 8D D1 DE  81 71 84 C8 2C E0 4B 01
(public key available via server or by sending a message to
ogren@concentric.net with a subject of GETPGPKEY)


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMa/qu/BB6nnGJuMRAQH8MAP/epcVGiS+9U1aWs1diuiVsMSjellYRjNm
p9huFrzT9eaBrfVz0MI2yhZ8IWNctDWznQdmtcmdRKoFm5Knfu+vIyKH6oILplyB
dgfPsSh3R/pJKXs2hD4q8PgE+laaTyFZyW1MqPbAjlKUS/T1w9bhL3lQnsrKZPf+
Qyxa19Vlya0=
=sHIE
-----END PGP SIGNATURE-----