[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Faster way to deescrow Clipper

To: Mike Ingle <[email protected]>
Subject: Re: Faster way to deescrow Clipper
From: "Perry E. Metzger" <[email protected]>
Date: Fri, 03 Jun 1994 07:57:06 -0400
Cc: [email protected]
In-Reply-To: Your message of "Thu, 02 Jun 1994 19:39:05 EDT." <[email protected]>
Reply-To: [email protected]
Sender: [email protected]


Mike Ingle says:
> The attack posted here uses a brute-force search to find a phony LEAF
> which has a valid checksum. Instead, why not just initialize the chip
> with a session key and get the LEAF. Reset the chip and initialize it
> with a different session key, but send the first LEAF instead of the
> second one.

An interesting idea. 

> The LEAF would look good unless you tried to decrypt the
> session key. The wrong-IV problem would remain. The NSA should have
> designed the Clipper so that, if the IV was wrong, the chips would not
> accept the LEAF.

That can't be done, I'm afraid. Its way to difficult to distinguish a
bad IV from line noise nuking the first block of your CBC
conversation.

> They also should have used a much larger (32-bit or even 64-bit) checksum.

Matt suggests precisely that in his paper.

Perry

Follow-Ups:
- Re: Faster way to deescrow Clipper
  - From: "Perry E. Metzger" <[email protected]>

References:
- Faster way to deescrow Clipper
  - From: Mike Ingle <[email protected]>

Prev by Date: Re: Black Eye for NSA, NIST, and Denning
Next by Date: Re: NYT article
Prev by thread: Re: NYT article
Next by thread: Re: Faster way to deescrow Clipper
Index(es):
- Date
- Thread