1996-01-09 - Can you break my encryption protocol ?

Header Data

From: “Mark Grant, M.A. (Oxon)” <mark@unicorn.com>
To: cypherpunks@toad.com
Message Hash: b99d4bb12812b39d3a4b7bc0eae207bc06076fe810fcd0feb08177ccc6c71b3d
Message ID: <Pine.3.89.9601091514.A24844-0100000@unicorn.com>
Reply To: N/A
UTC Datetime: 1996-01-09 16:03:03 UTC
Raw Date: Wed, 10 Jan 1996 00:03:03 +0800

Raw message

From: "Mark Grant, M.A. (Oxon)" <mark@unicorn.com>
Date: Wed, 10 Jan 1996 00:03:03 +0800
To: cypherpunks@toad.com
Subject: Can you break my encryption protocol ?
Message-ID: <Pine.3.89.9601091514.A24844-0100000@unicorn.com>
MIME-Version: 1.0
Content-Type: text/plain



I'm trying to put together a simple protocol for encrypting confidential
but typically low-value data (i.e. I don't want people to be able to read
it, but in most cases it wouldn't be catastrophic if they could). I want
it to be completely license-free, so I can't use RSA or other patented
algorithms. It also would only be used inside one organisation, so key
management isn't so much of a problem, and the main attack it has to 
defend against is packet-sniffing on the Net. It also has to support 
variable-length keys for ITAR.. 

The idea is as follows..


Client and server both have copies of a passphrase, of any length.

When starting the connection, client sends 128 random bits to the server.

Both ends take this data, append the passphrase, and use MD5 to generate 
a session key. If a key of less than 128 bits is required for legal 
reasons, then the appropriate number of bits are retained, and the rest 
replaced with bits from the random data that was sent in the clear.

That is, if you're only allowed 40 bit security, you take the first 88
bits that you were sent, and append the last 40 bits of the generated key 
to give you the session key to use.

You then go off and encrypt the session (probably using 3DES or Blowfish). 


Can anyone spot any flaws in this system ? The only potential problem I
can see would be that by cracking a number of sessions you could work out
the passphrase. However, I think the number required would still be
infeasible. 

Also, are there any known problems with using Blowfish for encrypting a
data stream ? I'm assuming it's OK as it's used in PGPfone. 

	Mark






Thread