1995-12-07 - Re: Still more on the Digicash protocol

Header Data

From: daw@guaymas.CS.Berkeley.EDU (David A Wagner)
To: cypherpunks@toad.com
Message Hash: 93c14c416848d38ecbdd7ad7170133e7a47a4568e99d6468597fde74a0b77847
Message ID: <199512072056.PAA21957@bb.hks.net>
Reply To: N/A
UTC Datetime: 1995-12-07 20:57:33 UTC
Raw Date: Thu, 7 Dec 95 12:57:33 PST

Raw message

From: daw@guaymas.CS.Berkeley.EDU (David A Wagner)
Date: Thu, 7 Dec 95 12:57:33 PST
To: cypherpunks@toad.com
Subject: Re: Still more on the Digicash protocol
Message-ID: <199512072056.PAA21957@bb.hks.net>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

In article <Pine.3.89.9512071804.A21520-0100000@unicorn.com>,
Rev. Mark Grant <mark@unicorn.com> wrote:
> I think he means you shouldn't use a stream cipher like RC4 that XORs the
> plaintext with the generated keystream, since if you know part of the
> plaintext, you can XOR those bytes with (the id you want) XOR (the id
> being sent) and change the encrypted data so that the payment goes into
> your account and not theirs.

Right.

RC4 encryption doesn't provide message integrity.

And I should mention that block ciphers like DES in chaining modes
like CBC don't provide message integrity either -- it's a bit harder,
but an active attacker can still tamper with the ciphertext to modify
the plaintext in a predictable way, like with RC4.

I admit it's a more difficult to mount this attack against a block
cipher in chaining mode, and the success probability may go down
(depending on the circumstances), but hey! paranoia is your friend;
and my point remains valid:

	Don't count on encryption to give you message integrity.
	If you need message integrity, use a MAC.

If you want a citation for this basic crypto design principle, I'll
be happy to provide one.

>                              This is a tough, but potentially feasible
> attack if you use that kind of encryption scheme. 

Tough!?  It's trivial for an active attacker, in the stream cipher case.
He just xors some bits: no clever cryptanalysis needed.  (Or did you mean
it's tough to mount an active attack?  I agree: that requires significant
knowledge or motivation.)

> Is there anywhere that you could use a similar attack on SSL ?

Not in SSL v3.0; it explicitly uses a (cryptographically strong) MAC
(message authentication code) on each message to prevent tampering
and modification.

Dave Wagner, speaking for himself,
but thankful for all those behind the scenes who are helping
to improve and open up Digicash communications.
- ---
[This message has been signed by an auto-signing service.  A valid signature
means only that it has been received at the address corresponding to the
signature and forwarded.]

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Gratis auto-signing service

iQBFAwUBMMdVCCoZzwIn1bdtAQHEvQF/c1wmuVWCpmMo+4jY0cNlrrKD/5vYb/st
xC2dFLgb1ydJm6kfWRw0Hz8vF55tzj9t
=N+Gr
-----END PGP SIGNATURE-----





Thread