Key usage

Main Page | Report this Page

Science Forum Index » Cryptography Forum » Key usage

Page 1 of 2 Goto page 1, 2 Next

Author

Message

Mok-Kong Shen

Posted: Tue Dec 23, 2003 11:00 am

Guest

Presumably an entirely trivial question: Is it good, bad or
neutral to employ a key to encrypt a value that is unique
to each message (e.g. a composition of time and message no.)
and use that as the key for doing the actual encryption of
the message? (This could have the merit of automatically
keeping the volume of text that is encrypted by any
particular key to a quite limited value practically.)

M. K. Shen
--------------------------------------
http://home.t-online.de/home/mok-kong.shen

Tom St Denis

Posted: Tue Dec 23, 2003 11:07 am

Guest

"Mok-Kong Shen" <mok-kong.shen@t-online.de> wrote in message
news:3FE866A9.58F329A0@t-online.de...

Quote:

Typically you re-key as often as practical (i.e. every new session, every
2^20 packets or whatever).
Normally the MAC and Encrypt keys are different but derived from a master
key. I use a hash to accomplish this in the software I write. E.g.

Hk = HASH(k || "hmac")
Ek = HASH(k || "encrypt")

That way compromising one key won't reveal the other [easily].

Tom

p.s. to anyone reading my year03.pdf thingy and thinking I can't spell... I
agree.. I didn't proofread it and I'm just now spotting tonnes of
mistakes... Ooops.

Mok-Kong Shen

Posted: Tue Dec 23, 2003 11:13 am

Guest

Tom St Denis wrote:

Quote:

"Mok-Kong Shen" <mok-kong.shen@t-online.de> wrote:

Presumably an entirely trivial question: Is it good, bad or
neutral to employ a key to encrypt a value that is unique
to each message (e.g. a composition of time and message no.)
and use that as the key for doing the actual encryption of
the message? (This could have the merit of automatically
keeping the volume of text that is encrypted by any
particular key to a quite limited value practically.)

Typically you re-key as often as practical (i.e. every new session, every
2^20 packets or whatever).
Normally the MAC and Encrypt keys are different but derived from a master
key. I use a hash to accomplish this in the software I write. E.g.

Hk = HASH(k || "hmac")
Ek = HASH(k || "encrypt")

That way compromising one key won't reveal the other [easily].

A related question: Isn't it that, through limiting
the materials encrypted by one key to sufficiently
small quantity, one is safe against attacks that needs
fairly huge amounts of materials for success?

M. K. Shen

Tom St Denis

Posted: Tue Dec 23, 2003 11:57 am

Guest

"Mok-Kong Shen" <mok-kong.shen@t-online.de> wrote in message
news:3FE869AE.DA3367C0@t-online.de...

Quote:

Tom St Denis wrote:

"Mok-Kong Shen" <mok-kong.shen@t-online.de> wrote:

Presumably an entirely trivial question: Is it good, bad or
neutral to employ a key to encrypt a value that is unique
to each message (e.g. a composition of time and message no.)
and use that as the key for doing the actual encryption of
the message? (This could have the merit of automatically
keeping the volume of text that is encrypted by any
particular key to a quite limited value practically.)

Typically you re-key as often as practical (i.e. every new session,
every
2^20 packets or whatever).
Normally the MAC and Encrypt keys are different but derived from a
master
key. I use a hash to accomplish this in the software I write. E.g.

Hk = HASH(k || "hmac")
Ek = HASH(k || "encrypt")

That way compromising one key won't reveal the other [easily].

A related question: Isn't it that, through limiting
the materials encrypted by one key to sufficiently
small quantity, one is safe against attacks that needs
fairly huge amounts of materials for success?

Sorta. The more important reason is to limit the loss incurred by leaking
the key.

Tom

Joseph Ashwood

Posted: Tue Dec 23, 2003 2:09 pm

Guest

[Side note: I'm back, but I don't know for how long, founding a
company is a tough business]

Mok-Kong Shen <mok-kong.shen@t-online.de> wrote in message news:<3FE866A9.58F329A0@t-online.de>...

Quote:

It is as you noted the solution is marginally good, as it limits the
available ct/pt pairs available. I suspect that unless you have some
exotic requirements that it is entirely neutral, simply because the
required texts to break a modern cipher would take up an insane amount
of space. The biggest question is: How paranoid are your users? Using
the time should help address their paranoia, something I've concluded
is what most encryption advancements are actually used for.
Joe

Mok-Kong Shen

Posted: Tue Dec 23, 2003 3:48 pm

Guest

Joseph Ashwood schrieb:

Quote:

Mok-Kong Shen <mok-kong.shen@t-online.de> wrote:

Presumably an entirely trivial question: Is it good, bad or
neutral to employ a key to encrypt a value that is unique
to each message (e.g. a composition of time and message no.)
and use that as the key for doing the actual encryption of
the message? (This could have the merit of automatically
keeping the volume of text that is encrypted by any
particular key to a quite limited value practically.)

It is as you noted the solution is marginally good, as it limits the
available ct/pt pairs available. I suspect that unless you have some
exotic requirements that it is entirely neutral, simply because the
required texts to break a modern cipher would take up an insane amount
of space. The biggest question is: How paranoid are your users? Using
the time should help address their paranoia, something I've concluded
is what most encryption advancements are actually used for.

I didn't say that the utility is marginal. If I may
express my own opinion, I think that, if the currently
best known analytical attack of a cipher requires 2^m
units of pt and/or ct, then setting a factor of safety
of 2^s (say, s=15) would allow a maximum of 2^(m-s)
units being used without changing of the message key.
That would mean that even certain block ciphers that
are considered broken could still quite well be used.
Anyway, on the other hand, for an intact and not yet
broken cipher, having a simple and cheap automatic
mechanism that fairly effectively guards against too
much material being processed by any single encryption
key does seem to be something worthwhile of consideration.

M. K. Shen

Tom St Denis

Posted: Tue Dec 23, 2003 4:00 pm

Guest

"Mok-Kong Shen" <mok-kong.shen@t-online.de> wrote in message
news:3FE8AA0A.EBE75978@t-online.de...

Quote:

The accepted standard for a cipher is 2^{m/2} for a m-bit block. For
instance, AES is considered safe upto 2^64 blocks in CBC.

However, while AES itself is considered safe in CBC upto that size mosts
systems would not. For example, say you're on some medium which costs per
time. You'd want to keep per unit of billing even if that means only 2^10
blocks of text or so. Essentially you want to minimize liability in the
system. It's also part of forward secrecy.

Or in another perspective you ask yourself this question. If an attacker
knew the key right now how much is a tolerable loss. If it takes X dollars
to break a key and the unit time billing is Y for the secret as long as Y <
X you're generally safe.

For example, on a cell phone it may costs 0.30$ per minute. So an attacker
will not spend $100M breaking a key that only gives him five minutes of talk
time. If I'm not mistaken GSM keys for instance [for the purposes of
authentication] are fixed for all time [for any given user]. Only the
session key changes [cuz it's cheap and you want to avoid hitting the bday
under the same key].

So it breaks down into two restrictions

1. You have to rekey before the bday [preferably way before]
2. You have to rekey so you limit the liability to less than what breaking
it costs

Ideally this means you re-key every session and before 2^{m/4} blocks are up
[e.g. 2^32 blocks or 64GB of text with AES]. The latter is a bit arbitrary
but IMO a good idea.

Tom

Mok-Kong Shen

Posted: Wed Dec 24, 2003 3:26 am

Guest

Tom St Denis wrote:

Quote:

[snip]
The accepted standard for a cipher is 2^{m/2} for a m-bit block. For
instance, AES is considered safe upto 2^64 blocks in CBC.

Could you give some references of such opinions? How
about the case of ECB (which I suppose is what the
figures of analytical attacks refer to) that should
anyway provide a lower bound? Thanks.

M. K. Shen

John Savard

Posted: Wed Dec 24, 2003 6:32 am

Guest

On Tue, 23 Dec 2003 17:00:41 +0100, Mok-Kong Shen
<mok-kong.shen@t-online.de> wrote, in part:

Quote:

Well, it is possible that an adversary would guess the time and
message number. So as you have outlined it, the scheme could be bad.

If one used a truly random session key to actually encrypt the
message, and used a key-exchange key to encrypt the session key, that
would be good, since the amount of known plaintext for any one key is
minimized.

John Savard
http://home.ecn.ab.ca/~jsavard/index.html

Mok-Kong Shen

Posted: Wed Dec 24, 2003 8:11 am

Guest

John Savard wrote:

Quote:

But the said unique value is encrypted (by a master key)
to become a key that is used in the proper encryption.
I don't yet see how easy one is to get the encryption
key, as long as the master key is kept secret. Thanks.

M. K. Shen

John Savard

Posted: Wed Dec 24, 2003 10:15 am

Guest

On Wed, 24 Dec 2003 14:11:11 +0100, Mok-Kong Shen
<mok-kong.shen@t-online.de> wrote, in part:

Quote:

But the said unique value is encrypted (by a master key)
to become a key that is used in the proper encryption.

I am sorry that I failed to read your post carefully. Yes, if the time
and message number are transmitted in the clear, but their encryption
by the master key is used as the key, that is acceptable.

John Savard
http://home.ecn.ab.ca/~jsavard/index.html

Gregory G Rose

Posted: Wed Dec 24, 2003 12:53 pm

Guest

In article <3FE94DA5.E53BE50C@t-online.de>,
Mok-Kong Shen <mok-kong.shen@t-online.de> wrote:

Quote:

Could you give some references of such opinions? How
about the case of ECB (which I suppose is what the
figures of analytical attacks refer to) that should
anyway provide a lower bound? Thanks.

ECB is unsafe at any speed, as Mok-Kong damn well
knows.

Greg.
--
Greg Rose
232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
Qualcomm Australia: http://www.qualcomm.com.au

Mok-Kong Shen

Posted: Wed Dec 24, 2003 1:18 pm

Guest

Gregory G Rose wrote:

Quote:

In article <3FE94DA5.E53BE50C@t-online.de>,
Mok-Kong Shen <mok-kong.shen@t-online.de> wrote:
Could you give some references of such opinions? How
about the case of ECB (which I suppose is what the
figures of analytical attacks refer to) that should
anyway provide a lower bound? Thanks.

ECB is unsafe at any speed, as Mok-Kong damn well
knows.

But, the materials needed for analytical attacks
is therefore likely to be of smaller quantity than
other better modes and this would hence lead to a
ower estimate of the number of units of plaintexts to
be encrypted before a change of key is required.
This way, one would get a figure that is conservative
and applicable for all modes, I suppose.

M. K. Shen

Mok-Kong Shen

Posted: Wed Dec 24, 2003 1:29 pm

Guest

Mok-Kong Shen wrote:

Quote:

Gregory G Rose wrote:

In article <3FE94DA5.E53BE50C@t-online.de>,
Mok-Kong Shen <mok-kong.shen@t-online.de> wrote:
Could you give some references of such opinions? How
about the case of ECB (which I suppose is what the
figures of analytical attacks refer to) that should
anyway provide a lower bound? Thanks.

ECB is unsafe at any speed, as Mok-Kong damn well
knows.

But, the materials needed for analytical attacks
is therefore likely to be of smaller quantity than
other better modes and this would hence lead to a
ower estimate of the number of units of plaintexts to
be encrypted before a change of key is required.
This way, one would get a figure that is conservative
and applicable for all modes, I suppose.

Typo: Read 'lower' for 'ower'.

BTW, I find your sentence yet somewhat difficult to
interpret. Consider also what the CTR mode actually does.
It is running the cipher in ECB mode on a counter, isn't
it?

M. K. Shen

Roger Wilco

Posted: Thu Dec 25, 2003 1:40 pm

Guest

jsavard@ecn.aSBLOKb.caNADA.invalid (John Savard) wrote in message news:<3fe9ad17.1125562@news.ecn.ab.ca>...

Quote:

On Wed, 24 Dec 2003 14:11:11 +0100, Mok-Kong Shen
mok-kong.shen@t-online.de> wrote, in part:

But the said unique value is encrypted (by a master key)
to become a key that is used in the proper encryption.

I am sorry that I failed to read your post carefully. Yes, if the time
and message number are transmitted in the clear, but their encryption
by the master key is used as the key, that is acceptable.

John Savard
http://home.ecn.ab.ca/~jsavard/index.html

Data encryption 360 degrees rotation document 90 degrees and
encryption
on every angel then change it two binary code and fold it over like a
piece of paper then having the one's and zero cancel each other out.

if you written a very long letter and then change it two binary code
it would look like this

01010101010101010101010
10010101010101010101010
01010101001010101010010
00010101000101010101010
10010101010100101010101
would equal = 01
01010101010100001100101
01001010101010101010111
11110111001101010101010
01010101010101010101010
10101010101010101010101

if you took the piece of paper and folded it and folded it and folded
it the 0 and 1 would cancel each out and if you keep folding the piece
of paper too the smallest you would have 4 numbers left if 1+1 =
nothing and 0 + 0 = nothing 1+0=1 and 0+1+0
01 now if the key new the folding times you could send 2 bytes over
the internet and unzip a
100 zetabyte program you computer could store all the programs ever
written but just need the key to unzip then you could us this for SETI
for signals or can you imagine a computer processor that would be 1.8
Hz but run like 100 million zeta hz you could use the new 64 bit
process second side to unzip while the front side processes. or use
this for the matrix or quantum computing or supercomputer. 64 bit. 1+1
= nothing and 0 + 0 = nothing 1+0=1 and 0+1+0 dont forrget to use <
and > signes 0>1+1<0

Page 1 of 2 Goto page 1, 2 Next All times are GMT - 5 Hours The time now is Thu Oct 16, 2008 2:19 am Science Forum Index