Bill Stewart (bill.stewart@pobox.com)
Wed, 25 Mar 1998 09:00:32 -0800
>Brian Hurt wrote:
>| The idea I had was that instead of having monotonically
>| increasing sequence numbers, use a (cryptographically
>| secure) pseudo-random number sequence based off of
>| the MAC key. The chaff would, of course, have random
>| sequence numbers based off a different sequence of
>| pseudo-random numbers.
At 08:50 AM 3/25/98 -0500, Adam Shostack wrote:
> Is your scheme to replace the use of the MAC with a PRNG
>sequencing, or combine the two? It seems to me that the first might
>be equivallent in security, and the second might be a win.
You need a cryptographically strong MAC; otherwise the eavesdropper
can crack the message (CRCs aren't strong enough, for instance.)
But using a PRNG sequence number instead of 0-1-2-3-... is fine,
As long as you do it in a way that doesn't leak information
about the MAC key. It doesn't really buy you very much security,
since one-bit messages and inverse chaff already give you that,
but it does annoy the eavesdropper.
Not leaking information about the MAC key is important;
ideally you should use some extra keying material,
but you can probably settle on something like
SHA1("GENERATE PRNG KEY",secretkey) and
SHA1("GENERATE MAC KEY",secretkey).
On the other hand, it probably makes more sense to use
short sequence numbers in your packets, e.g. 3 or 7 bits,
so there isn't much room for a PRNG to play around anyway.
>I don't see a legitimacy to resequencing someone elses packets.
Nor do I - especially if the boundaries between sequence number,
data, and MAC are user-selectable.
Thanks!
Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:16:17 ADT