[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] draft-housley-ccm-mode-00.txt

To: ggr@qualcomm.com, rhousley@rsasecurity.com
Subject: Re: [Cfrg] draft-housley-ccm-mode-00.txt
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
Date: Fri, 16 Aug 2002 16:15:40 +1200 (NZST)
Cc: cfrg@ietf.org
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
Sender: cfrg-admin@ietf.org

Greg Rose <ggr@qualcomm.com> writes:

>Doing the authentication and the encryption with the same key is bad
>practice. You should take the input key, and derive from it two subordinate
>keys, which are independent of each other as far as an outside attacker can
>tell, then use one of them for the counter mode encryption, the other for
>the CBC-MAC.

This doesn't work if your crypto hardware or software doesn't give you
access to the key, which is quite common.  The way I was doing it for the
encrypt+MAC is to use the encryption algorithm to generate a MAC key by
encrypting an all-zero block(s), this both avoids the problem of key
inaccessibility and means that a rollback attack is made more difficult
since the first block of ciphertext is scrambled (it isn't 100%
bulletproof, but will catch most attempts to roll back from encrypt+MAC
to encrypt-only).

Peter.

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Prev by Date: Re: [Cfrg] draft-housley-ccm-mode-00.txt
Next by Date: Re: [Cfrg] draft-housley-ccm-mode-00.txt
Previous by thread: RE: [Cfrg] draft-housley-ccm-mode-00.txt
Next by thread: Re: [Cfrg] draft-housley-ccm-mode-00.txt
Index(es):
- Date
- Thread