From: Bill Stewart <stewarts@ix.netcom.com>
To: “Myron Lewis” <mrlewis@keygen.com>
Message Hash: c5194f4ab8fcaa0af116ca5926fb3c284a14cc6549d92838ec5c95dc711e8708
Message ID: <3.0.2.32.19970830141731.02fb96d4@popd.ix.netcom.com>
Reply To: <19970829133319.AAA17639@mrlewis.tiac.net>
UTC Datetime: 1997-08-30 22:09:58 UTC
Raw Date: Sun, 31 Aug 1997 06:09:58 +0800
From: Bill Stewart <stewarts@ix.netcom.com>
Date: Sun, 31 Aug 1997 06:09:58 +0800
To: "Myron Lewis" <mrlewis@keygen.com>
Subject: Re: ASK ToolKit Clarifications
In-Reply-To: <19970829133319.AAA17639@mrlewis.tiac.net>
Message-ID: <3.0.2.32.19970830141731.02fb96d4@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain
At 09:27 AM 8/29/97 -0400, Myron Lewis wrote:
>I know that the claims we make for the ASK ToolKit(TM) sound
>a little too good to be true.
...
>The ASK ToolKit does not do encryption.
>It only provides keys on demand for encryption.
And his web page says
> you will be able to offer your customers the most secure applications
available.
>And they won't have to endure the pain of dealing with,
>or spending the money for, key management systems.
The toolkit is fairly straightforward, if the descriptions are accurate.
Alice exchanges a secret with Bob somehow, and keeps track of
which secret goes with which recipient, i.e. does the key management -
either inside the toolkit, making the toolkit somewhat useful,
or outside the toolkit, making the toolkit annoying to use.
At that point, Alice and Bob both have Secret(Alice,Bob),
and a counter N of the number of session keys they've generated.
When Alice wants to send Message to Bob, she uses the toolkit to calculate
(SessionKey(N), Stuff2) = f(N, Secret(Alice,Bob),Alice,Bob,Stuff1)
and sends Bob (N,Stuff1,Stuff2,Alice,Bob) and E(Message,SessionKey(N)).
Having not licensed a copy of the toolkit, I don't know whether
Stuff1 and Stuff2 are transmitted, non-transmitted, or empty sets,
or whether the function f maintains state other than N (if it does,
then Stuff1 and Stuff2 are the state variables, with Stuff1(N+1)==Stuff2(N).)
Some popular variants on this are
f() = Hash(Secret,N)
(tends to leak)
f() = Hash(N,Secret,N) or Hash(N,Hash(Secret,N)) or Hash(Secret,N,Secret)
f() = Hash(SessionKey(N-1)) == Hash**N(Secret)
(terrible - leaks badly.)
f() = (Hash2(salt,Hash**N(Secret)), salt)
(much stronger if Hash2 is good.)
Then there's S/Key: f() = Hash**(M-N)(Secret) where M is a big number,
typically 100.
This works well for passwords, since you can easily verify that
Hash**N(f()) = Secret,
though it's dangerous for encryption passwords, since cracking one message
key cracks
all the previous messages.
# Thanks; Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
# (If this is a mailing list or news, please Cc: me on replies. Thanks.)
Return to August 1997
Return to “Myron Lewis <mrlewis@keygen.com>”