Re: DES AND IDEA IN THE KERNEL _VERY_ BROKEN!

Ian Goldberg (iang@cs.berkeley.edu)
2 Aug 1996 08:25:01 -0700


-----BEGIN PGP SIGNED MESSAGE-----

In article <9607211110.AA22096@nyx.net>, Colin Plumb <colin@nyx.net> wrote:
>I'd like to remind folks that a cenreal tenet in cryptography is that
>you don't want to encrypt two messages with the same key *and IV*.
>It cauese information leakage. The leakage is low enough that if it
>happens by accident, there's no great cause for alarm, but you shouldn't
>do it in a regular basis.
>
>And if you use an encrypted device on a machine which someone else
>can read the hard drive of, then over time, as you modify the
>drive, if the IV you use for encrypting each block depends only
>on the block number, you are creating messages (each subsequent
>version of the block) which are encrypted with the same key and IV.
>Lots of them.
>
>Now, OFB and counter mode are *particularly* bad, as you can XOR
>two versions of a block together and recover the XOR of the
>plaintexts. Generally a bad idea. CFB mode has problems,
>but even CFB mode reveals the location of an alteration.
>
>The hack used in Peter Gutmann's MS-DOS SFS device driver of
>using a checksum of the plaintext (and the block offset, and
>some per-volume unique information) is advisable.

But how do you _read_ the block if the IV you need to decrypt it is based
on the plaintext? (Unless there's some checksum that remains invariant
under encryption, which seems unlikely...)

- Ian

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMgIds0ZRiTErSPb1AQGRlAP/fV4VDdF2I+ylbOE0TToZCCIQb49MfkhV
y3k89VtsnyP5d4wxLG7R+u4uGmOFJ9dl4oc9ZaaKh+/elzBaLOs14QG7kwaOBGmq
AsTtopXGN4an+1JVj7p/yZkqDhPbLS6Oy0W0u/c22ajoLbL7ZhOu35t3zwfDcmiN
l4eWDIzoIyw=
=80cA
-----END PGP SIGNATURE-----