Perry E. Metzger (perry@piermont.com)
Thu, 09 Jul 1998 10:35:12 -0400
Cicero writes:
> What do you see as the problems with:
>
> 1. Hash the data
> 2. Encrypt the data in CBC mode with the hash as key
>
> If the hash and cipher are both strong, this should be good.
What I see wrong with this is that it is voodoo, not analysis.
Anyone can "tell you" that just hashing with a good hash "should" be
good if you know how many bits of entropy are present, but I've
learned not to trust "should" in this field. Guesswork isn't
scientific analysis. What I want is something like a mathematical
proof that, if the hash has some given property or properties (say,
the strict avalanche criterion), then distilation works. Then all you
need is to make yourself reasonably certain that the hash possesses
said properties and you are done.
One would have expected that someone would have come up with
literature long ago giving good proofs about entropy distillation and
telling you whether it was okay or not and/or how to do it in a way
that is provably good. Unfortunately, the research simply hasn't been
done. I've begged several cryptographers to do research on the field,
but thus far, not much has happened.
By-the-seat-of-the-pants-ism is okay in many fields related to
computers, but in cryptography it is deadly.
I remember early on, before Hugo Krawczyk demonstrated why you didn't
want to naively append a key to a text and then hash it to produce a
MAC, saying "oh, this should just work fine" and proposed it for use
in IPSEC, and even got fairly mad when Hugo mumbled about it not
necessarily having a strong basis in the field. Then Hugo demonstrated
a much better mechanism (HMAC), complete with mathematical proof, and
I had to retreat with my tail between my legs.
In this field, especially as the base level of cryptosystems gets
better, attacks will be focused more and more on little chinks in the
cryptographic armor. I prefer not to leave them through sloppyness.
Perry
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:14 ADT