Re: [Cfrg] Re: hash functions, steram ciphers

[david jacobson <David.Jacobson at Sun.COM>]

Shai Halevi wrote:
> On Thursday Thu, 26 Aug 2004 10:32, "Hallam-Baker, Phillip" wrote:
>
>
> [snip]
>
> > RC4 has been compromised by Shamir & co, but as a general rule I don't
> > think any stream cipher should ever get a higher status than acceptable. 
> > A stream cipher always allows a person who has a plaintext and ciphertext
> > corresponding to a key to encode or decode all messages with that key 
> > that are shorter or the same size. [...]
>
>
> In essence, you're claiming that it is easier to misuse a stream cipher 
> than a block cipher. I'm interested whether others share the same view. 
> (We all know how easy it is to misuse stream ciphers, but on the other 
> hand it is also quite easy to misuse block ciphers.)
>
> -- Shai

For clarification I'm referring to RC-4 like ciphers that in essence are 
pseudo-random bit generators that are XORd with the data at both ends. 
As with a one-time pad, these can be used only once.

The biggest problem, in my opinion, is that if the data is structured in 
a way known to the attacker, he can can flip any bit(s) he likes, unless 
the message is protected in some way.  So if he knows you are 
transferring $1000 into account 666666, he can easily flip the bits of 
the target account number to 666777.

Contrast this with any CBC mode block cipher.  Flipping any bit turns 
the entire block it was in and all subsequent blocks to garbage.

Of course, the counter arugment is that if you want integrity, you 
should not be depending on just encryption, so I'm complaining about a 
property that one should not expect.

  -- David Jacobson



_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg